From owner-freebsd-ipfw  Thu Aug 15 11: 0:25 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 45C5A37B400
	for <ipfw@freebsd.org>; Thu, 15 Aug 2002 11:00:23 -0700 (PDT)
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C825243E70
	for <ipfw@freebsd.org>; Thu, 15 Aug 2002 11:00:22 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from InterJet.elischer.org ([12.232.206.8])
          by rwcrmhc51.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020815180022.PWXA1746.rwcrmhc51.attbi.com@InterJet.elischer.org>;
          Thu, 15 Aug 2002 18:00:22 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id KAA27493;
	Thu, 15 Aug 2002 10:49:22 -0700 (PDT)
Date: Thu, 15 Aug 2002 10:49:22 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Luigi Rizzo <rizzo@icir.org>
Cc: ipfw@freebsd.org
Subject: Re: RFC: new mbuf flag bit needed
In-Reply-To: <20020815000720.B24495@iguana.icir.org>
Message-ID: <Pine.BSF.4.21.0208151042200.27476-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG



On Thu, 15 Aug 2002, Luigi Rizzo wrote:

> [Bcc to -arch in case they have some comments]
> 
> Hi,
> we have the following problem: both ipfw and ipfw2 can sometimes
> generate new packets (e.g. in response to an "unreach" or "reset"
> action, or simply keepalives) which in turn get reinjected in the
> stack and the firewall itself, starting from the beginning.  This
> has the potential of causing loops, unless we break them in some
> way.

A bit to force non testing in a firewall might be useful in other places..
I'd however like to float an idea that maybe there should be more
specific bits for input and output processing.



for example a 'fwd' packet that has been forwarded out from thi input
filter needs to bypass the output filter.. your bit could be used for
that. I am just wondering if a separate 
'input' and 'output' filtering bit may be a worthwhile aim..
anyhow these are IP specific items so what I suggest is instead, that we
define 4 or so "protocol family specific" bits
that are reserved for protocol use. and allow each protocol family to
define their own use for them.

you could then define bits for
input-filter bypass,
output filter bypass,
input-from-divert


etc.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message