From owner-freebsd-arch@FreeBSD.ORG  Fri Oct 31 19:12:19 2014
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A49EBA86;
 Fri, 31 Oct 2014 19:12:19 +0000 (UTC)
Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "funkthat.com", Issuer "funkthat.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7D19F6A;
 Fri, 31 Oct 2014 19:12:19 +0000 (UTC)
Received: from h2.funkthat.com (localhost [127.0.0.1])
 by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s9VJCCR0042606
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Fri, 31 Oct 2014 12:12:13 -0700 (PDT)
 (envelope-from jmg@h2.funkthat.com)
Received: (from jmg@localhost)
 by h2.funkthat.com (8.14.3/8.14.3/Submit) id s9VJCCN5042605;
 Fri, 31 Oct 2014 12:12:12 -0700 (PDT) (envelope-from jmg)
Date: Fri, 31 Oct 2014 12:12:12 -0700
From: John-Mark Gurney <jmg@funkthat.com>
To: freebsd-net@FreeBSD.org, freebsd-arch@FreeBSD.org
Subject: any reason not to enable IPDIVERT for ipfw module?
Message-ID: <20141031191212.GO8852@funkthat.com>
Mail-Followup-To: freebsd-net@FreeBSD.org, freebsd-arch@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
X-Operating-System: FreeBSD 7.2-RELEASE i386
X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88  9322 9CB1 8F74 6D3F A396
X-Files: The truth is out there
X-URL: http://resnet.uoregon.edu/~gurney_j/
X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html
X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger?
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2
 (h2.funkthat.com [127.0.0.1]); Fri, 31 Oct 2014 12:12:13 -0700 (PDT)
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 19:12:19 -0000

Can any one think of a good reason not to enable IPDIVERT sockets in
the ipfw module?

And possibly enabling default to accept?   That way you don't have to
go to the console when you load the ipfw module because you forgot to
auto add the accept all rule? :)

something like:
==== //depot/projects/opencrypto/sys/modules/ipfw/Makefile#3 - /home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile ====
--- /tmp/tmp.15774.16   2014-10-31 12:11:56.000000000 -0700
+++ /home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile   2014-10-31 12:11:54.000000000 -0700
@@ -16,7 +16,10 @@
 #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
 #
 #If you want it to pass all packets by default
-#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
+CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
+#
+#If you want divert sockets
+CFLAGS+= -DIPDIVERT
 #
 
 .include <bsd.kmod.mk>

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."