From owner-freebsd-hackers Sun Jul 13 01:52:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id BAA11663 for hackers-outgoing; Sun, 13 Jul 1997 01:52:25 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA11658 for ; Sun, 13 Jul 1997 01:52:21 -0700 (PDT) Message-Id: <199707130852.BAA11658@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA076603306; Sun, 13 Jul 1997 18:41:46 +1000 From: Darren Reed Subject: Re: ipfw rules processing order when DIVERTing To: archie@whistle.com (Archie Cobbs) Date: Sun, 13 Jul 1997 18:41:46 +1000 (EST) Cc: julian@whistle.com, archie@whistle.com, owensc@enc.edu, freebsd-hackers@FreeBSD.ORG, ari.suutari@ps.carel.fi In-Reply-To: <199707102329.QAA04387@bubba.whistle.com> from "Archie Cobbs" at Jul 10, 97 04:29:50 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Archie Cobbs, sie said: > Yes! ``It could start processing at the next higher number.'' > I agree with that :-) > > The problem is that when the packet returns to the kernel from > user-land, that bit of state that says "this packet has already > seen rules 1-2000 (or whatever)" is lost, and you can't retrieve > it. The only way to do this would be for the user-land process > to send back some additional info that says "skip to rule 2000". > > Doable, but .. not very pretty? what if the packet is changed enough to make the outcome of starting at N+1 different to starting at 1 ?