From owner-freebsd-hackers Thu Jul 10 15:06:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA01516 for hackers-outgoing; Thu, 10 Jul 1997 15:06:42 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA01508 for ; Thu, 10 Jul 1997 15:06:37 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id PAA08748; Thu, 10 Jul 1997 15:04:41 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma008746; Thu Jul 10 15:04:20 1997 Received: (from archie@localhost) by bubba.whistle.com (8.8.5/8.6.12) id PAA03534; Thu, 10 Jul 1997 15:04:20 -0700 (PDT) From: Archie Cobbs Message-Id: <199707102204.PAA03534@bubba.whistle.com> Subject: Re: ipfw rules processing order when DIVERTing In-Reply-To: from Charles Owens at "Jul 10, 97 12:27:22 pm" To: owensc@enc.edu (Charles Owens) Date: Thu, 10 Jul 1997 15:04:19 -0700 (PDT) Cc: freebsd-hackers@FreeBSD.ORG, ari.suutari@ps.carel.fi X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > If I take this as literally as I can, I interpret it as follows > > * Rules before divert rule processed > * Divert rule ships all packets not dropped by above rules > to natd for address translation > * Packets return from natd and are then subjected to ALL rules, > except this time divert rule is skipped This is correct. > This is somewhat counter-intuitive to me. If this how it works, what is > the reason for this design, since, as I think about it, there must be a > performance penalty to this approach (multiple passes of rules). I had There are two reasons for this... 1. The new packet (post-diversion) may be different from the old packet (pre-diversion), so it should be checked again to insure that it doesn't avoid any rules that apply to it. 2. It's a lot easier to code this way :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com