From owner-freebsd-hackers Wed Jan 29 12:17:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA18935 for hackers-outgoing; Wed, 29 Jan 1997 12:17:51 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA18926 for ; Wed, 29 Jan 1997 12:17:47 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id MAA17869; Wed, 29 Jan 1997 12:17:10 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma017867; Wed Jan 29 12:16:42 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id MAA24360; Wed, 29 Jan 1997 12:16:42 -0800 (PST) From: Archie Cobbs Message-Id: <199701292016.MAA24360@bubba.whistle.com> Subject: Re: ipdivert & masqd In-Reply-To: <199701291947.MAA12629@phaeton.artisoft.com> from Terry Lambert at "Jan 29, 97 12:47:25 pm" To: terry@lambert.org (Terry Lambert) Date: Wed, 29 Jan 1997 12:16:41 -0800 (PST) Cc: archie@whistle.com, terry@lambert.org, ari.suutari@ps.carel.fi, brian@awfulhak.demon.co.uk, hackers@freebsd.org, cmott@srv.net X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > Can I get a quick sanity check on something... the divert code is > > > > programmed under the assumption that ip_input() and ip_output() > > > > can never sleep (ie., no other packet can be treated before the > > > > function returns). This is true, right? > > > > > > For the divert handler, you mean? Yes. > > > > Then I don't understand how ip_divert_ignore can ever be incorrectly > > set (ie., non-zero)... if you look at ip_divert.c, you see the only > > place that it is ever set to a non-zero value is before the outgoing > > packet is delivered, via a call to ether ip_input() or ip_output() > > (in the function div_output()). Then it gets reset to zero after > > either of these functions returns. > > > > Am I missing some subtlety in there? > > [ ... ] > > Actually, I think it's so the outbound packet doesn't get redivirted > by that particular handler, but you *can* chain handlers. For instance, > say I wanted to chain a cleanwall, a firewall, and a IP proxy server > and they were all in seperate divert modules. Right! That is the purpose of this ip_divert_ignore hack -- for loop avoidance. It allows you to send a packet back out via the divert socket and simultaneously say "Don't divert *this* packet back into *this* socket". The theory was that this loop avoidance was working too well, and seemed to be applying to packets other than the one that it was supposed to. What I'm trying to prove to myself is that this can't be happening. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com