Date: Thu, 15 Aug 2002 10:49:22 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: RFC: new mbuf flag bit needed Message-ID: <Pine.BSF.4.21.0208151042200.27476-100000@InterJet.elischer.org> In-Reply-To: <20020815000720.B24495@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Aug 2002, Luigi Rizzo wrote: > [Bcc to -arch in case they have some comments] > > Hi, > we have the following problem: both ipfw and ipfw2 can sometimes > generate new packets (e.g. in response to an "unreach" or "reset" > action, or simply keepalives) which in turn get reinjected in the > stack and the firewall itself, starting from the beginning. This > has the potential of causing loops, unless we break them in some > way. A bit to force non testing in a firewall might be useful in other places.. I'd however like to float an idea that maybe there should be more specific bits for input and output processing. for example a 'fwd' packet that has been forwarded out from thi input filter needs to bypass the output filter.. your bit could be used for that. I am just wondering if a separate 'input' and 'output' filtering bit may be a worthwhile aim.. anyhow these are IP specific items so what I suggest is instead, that we define 4 or so "protocol family specific" bits that are reserved for protocol use. and allow each protocol family to define their own use for them. you could then define bits for input-filter bypass, output filter bypass, input-from-divert etc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0208151042200.27476-100000>