Date: Tue, 15 Jul 2003 17:07:44 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: clarification on /etc/rc.firewall ("in via ..." commands etc.) Message-ID: <3F149750.3000301@tenebras.com> In-Reply-To: <20030715170059.A43216@xorpc.icir.org> References: <20030715170059.A43216@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > Hi, > I was looking at /etc/rc.firewall, and noticed that there is a > number of rules with "... in via $ifname". > > Looking at the ipfw1 code: > + "in" only matches if a packet has a receive interface associated with it. > > + "via $ifname" matches > 1) the xmit interface is one is associated with the packet, or > 2) the receive interface if one is associated with the packet, or > 3) it fails if no interfaces are associated with the packet. > > So, my first question is where in our protocol stack we can have > packets with neither receive or xmit interfaces; > > The second question is whether the sequence "in via $ifname" > should be replaced by "in recv $ifname" (which is in my opinion > makes it more clear which traffic is being matched. On a slightly tangential note, isn't it still the case that a packet that gas been returned by natd (or any divert daemon) has lost any knowledge of its "in recv" interface?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F149750.3000301>