Date: Mon, 25 May 1998 03:37:49 -0700 (PDT) From: Julian Elischer <julian@FreeBSD.ORG> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG Subject: cvs commit: src/sys/conf options src/sys/netinet ip_divert.c ip_fw.c ip_input.c ip_output.c ip_var.h Message-ID: <199805251037.DAA04693@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
julian 1998/05/25 03:37:49 PDT
Modified files:
sys/conf options
sys/netinet ip_divert.c ip_fw.c ip_input.c
ip_output.c ip_var.h
Log:
Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.
The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)
To enable the new code use
option IPFW_DIVERT_RESTART
This should become the default as soon as people have looked at it a bit
Revision Changes Path
1.75 +3 -1 src/sys/conf/options
1.26 +43 -2 src/sys/netinet/ip_divert.c
1.84 +36 -1 src/sys/netinet/ip_fw.c
1.85 +25 -2 src/sys/netinet/ip_input.c
1.67 +9 -1 src/sys/netinet/ip_output.c
1.38 +10 -1 src/sys/netinet/ip_var.h
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805251037.DAA04693>