Date: Mon, 5 May 1997 11:12:33 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: nnd@info.itfs.nsk.su (Nickolay N. Dudorov) Cc: current@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705051812.LAA05845@bubba.whistle.com> In-Reply-To: <5kf0m1$s96@news.itfs.nsk.su> from "Nickolay N. Dudorov" at "May 3, 97 09:31:45 am"
next in thread | previous in thread | raw e-mail | index | archive | help
[ cc'ing this to freebsd-hackers as well ]
> > it is broken..
> > garret broke it and we have yet to fix it...
>
> May be it is possible not only "unbroke" it but
> slightly extend it's functionality/usability (not really
> an IPDIVERT but 'ipfw' functionality) ?
>
> It seems to me that IP-traffic monitoring/accounting
> can be made more convinient with ipfw rules of type
>
> add 5000 tee 98 ip from some.net/24 to any out via interf0
>
> wich will differ from
>
> add 5000 divert 98 ip from some.net/24 to any out via interf0
>
> in not only diverting (copies of)packets to socket 98 but also in allowing
> usual processing of this packets (with the next ipfw rules and
> normal routing).
>
> In this case my (yet to be written) monitoring/accounting
> program will just read packets from (read-only ?) divert socket 98
> not bothering itself with returning packets back to kernel.
Sound like a good idea :-)
I'm doing some more work on ipfw and divert to solve a need we have...
and planning on making these changes (how much gets checked in to be
determined later by group consensus, but patch will be available):
- Add "ipfw tee XX" command described above
- Add "ipfw skipto XX" command to skip forward to rule number XX
(skipping backwards not allowed!)
- Allow rules to have the form:
1000 deny ip from any to any in via ed0 out via ed1
so you can filter routed packets by both incoming AND outgoing
interface.
- When a reject rule applies to an incoming TCP packet, send
the appropriate TCP response packet (ie., RST) instead of an
ICMP port unreachable.
These changes are being based on the RELENG_2_2 code; once they are
working I'll try to get -current working again as well.
Main goal of these changes is:
- Make existing filtering rules run no slower than they would
without having the changes
Also:
- Simplify the ip_fw_chk() function call interface
Thanks,
-Archie
___________________________________________________________________________
Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705051812.LAA05845>