Date: Tue, 26 Oct 2004 11:19:16 -0700 From: Julian Elischer <julian@elischer.org> To: John Hay <jhay@icomtek.csir.co.za> Cc: Andre Oppermann <andre@freebsd.org> Subject: Re: make buildkernel failed related to ip_divert module Message-ID: <417E9524.4030609@elischer.org> In-Reply-To: <20041026161757.GA77267@zibbi.icomtek.csir.co.za> References: <417B128B.7080904@gddsn.org.cn> <20041024133045.40733f45@dolphin.local.net> <417D5E51.2060100@freebsd.org> <1098735588.41693.4.camel@server.mcneil.com> <417D6148.6050807@freebsd.org> <20041026063545.GA57014@zibbi.icomtek.csir.co.za> <417E4598.1090902@freebsd.org> <20041026161757.GA77267@zibbi.icomtek.csir.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
John Hay wrote: >>>Is there any harm in making IPFIREWALL_FORWARD default for the ipfw >>>module? For that matter, why have a separate FORWARD option and not >>>just have it as part of the standard firewall stuff? >>> >>> >>The reason is simple. FORWARD modifies the entire ip_input(), ip_output() >>and tcp_input() path. This is not something that should be in stock kernels >>unless you want to use 'ipfw fwd' (which is only a minority). >> >> > >Ok, what about another module, called say ipfwfwd or something, that is >ipfw compiled with forwarding? Then one can just load the one >apropriate for you. > no you misunderstood what he said..the IPFIREWALL_FORWARD option not only modifies the ipfw module but also modifies teh IP stack.. a special ipfw module would only have done half the change.. I don't know how it would fail... catastrophic or not, but it would definitly fail to work..
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?417E9524.4030609>