Date: Wed, 27 May 1998 19:38:17 -0700 From: Julian Elischer <julian@whistle.com> To: hackers@FreeBSD.ORG Cc: isp@FreeBSD.ORG Subject: Please test/check (IPFW/NATD) Message-ID: <356CCE19.3F54BC7E@whistle.com>
next in thread | raw e-mail | index | archive | help
I have made some changes to the IPFW code that changes slightly
the semantics of IPFW. These changes are optiona at present
but should become standard soon and should eventually go back into
-stable (2.2.x)
If you use IPFW you should check your rules to see if this affects you
as it might make the filter behave differently to what you expect.
If you do not use divert sockets, (e.g. NATD) then relax
and go on your way..
if you DO, then read on...
The change is presently optional. You need the undocumented option
IPFW_DIVERT_RESTART
to make it happen, but it is our intention to make it standard
after a while so you should look at this.
The change is that in the normal situation, a packet that is
re-injected after diversion will no longer go back to the beginning
of the filter, but instead will restart at (after) the point that
it was diverted.
If no major processing has occured before your divert rule then
there is effectively no change...
If your divert rule is a fair way into your filter set,
then look at the rules before hand and think about whether
not running those a second time in the reinjected packet may
create a security hole.
The reason for this change is because the original scheme was flawed
in that you could not divert a packet twice. Doing so would lead to an
infinite loop (for the packet).
so for example the following was not possible:
[rules set 1]
divert for payload encryption
[rules set 2..]
divert for NATD
[rules set 3]
In the old scheme.
the executed rules would be:
[set 1] encryption [set 1] [set 2] natd [set 1] encryption [set 1] (etc)
in the new scheme it is:
{set 1] encryption [set 2] natd [set 3]
I envision this becoming standard in a couple of weeks
and really it should go back to 2.2.x
in the common case (natd)
[rules set 1]
divert for NATD
[rules set 2]
The following should happen:
old:
[set 1] natd [set 1] [set 2]
new:
[set 1] natd [set 2]
If your ruleset REQUIRES set 1 to be run twice please let me know
so I can work out the common scenarios.
the example for natd say to put the natd rule at the beginning
so it should not affect people who followed this advice :-)
julian
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?356CCE19.3F54BC7E>