Date: Fri, 16 Mar 2001 18:57:48 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Nick Rogness <nick@rogness.net> Cc: net@FreeBSD.ORG Subject: Re: natd divert injecting clarifications Message-ID: <20010316185748.D14036@sunbay.com> In-Reply-To: <Pine.BSF.4.21.0103160842070.9691-100000@cody.jharris.com>; from nick@rogness.net on Fri, Mar 16, 2001 at 09:02:15AM -0600 References: <20010316095627.C62097@sunbay.com> <Pine.BSF.4.21.0103160842070.9691-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 16, 2001 at 09:02:15AM -0600, Nick Rogness wrote: > On Fri, 16 Mar 2001, Ruslan Ermilov wrote: > > > Pretty much correct. > > > > 1) kernel sends packet to divert socket > > 2) natd reads from divert socket > > 3) natd screws with it > > 4) natd writes the packet to divert socket; the packet > > is treated as a completely new entity > > 5) divert socket's output routine reinjects the packet > > back "into the normal kernel IP packet processing", not into > > firewall > > Hmm. You pass it a 'tag' which, I thought, is the ipfw > rule number of the firewall after which rule processing should > restart. I think I understand your point though. > I wanted to point you that div_output() (netinet/ip_divert.c) does not call IPFW directly; it is passed a tag from the user process, it then calls either ip_input() or ip_output() depending on whether a packet was written as incoming or outgoing, this this is ip_input() or ip_output() who check with IPFW. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010316185748.D14036>