From owner-freebsd-net@FreeBSD.ORG Thu Dec 2 13:40:45 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A025916A4CF; Thu, 2 Dec 2004 13:40:45 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA39943D39; Thu, 2 Dec 2004 13:40:44 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id iB2DegpW000967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 2 Dec 2004 16:40:42 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id iB2DefWM032874 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2004 16:40:42 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id iB2DefJB032873; Thu, 2 Dec 2004 16:40:41 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Thu, 2 Dec 2004 16:40:41 +0300 From: Gleb Smirnoff To: andre@freebsd.org Message-ID: <20041202134041.GB32699@cell.sick.ru> References: <200412021322.iB2DMxLj066304@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200412021322.iB2DMxLj066304@freefall.freebsd.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version 0.75l on 127.0.0.1 X-Virus-Status: Clean cc: net@freebsd.org Subject: Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 13:40:45 -0000 Andre, what is reason for these two checks in ip_output(): if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) { dst = (struct sockaddr_in *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL; m_tag_delete(m, fwd_tag); goto again; } else { m_tag_delete(m, fwd_tag); /* Continue. */ } Investigating pre-PFIL_HOOKS ipfw I have not found any analog of this check. These checks do break some useful functionality: 1) policy routing of hosts from connected networks 2) policy routing of locally originated traffic The second one is used very widely. When you have lines to two ISPs and run natd for both of them, you policy route nated packets to them. P.S. kern/73129, kern/73910, kern/71910 -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE