Date: Thu, 20 Apr 2006 15:59:14 +0300 (EEST) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: Ari Suutari <ari@suutari.iki.fi> Cc: freebsd-ipfw@freebsd.org Subject: Re: Getting kern/82724 (ipfw defaultroute/setnexthop) committed Message-ID: <20060420154345.E79546@atlantis.atlantis.dp.ua> In-Reply-To: <444732F8.4040006@suutari.iki.fi> References: <444732F8.4040006@suutari.iki.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Thu, 20 Apr 2006, Ari Suutari wrote: > I have now been running two firewalls with > patch included in kern/82724 since the pr was > created (since june, 2005). Works ok, not a single panic > or other problem. I also think that both 'setnexthop' and 'defaultroute' are very useful missing features. I'd even say that they are more significant omissions that ignored "in/out/via any" (kern/95084). I'd like to see both of PRs commited. It's really hard, e.g., to count and shape overall traffic via interface if you're forwarding it there via several 'fwd' actions w/o having 'setnexthop'. I have just one question about 'setnexthop': does it actualize xmit interface name? E.g., say packet was originally routed via interface ed0, but we've forwarded it out via fxp0: 00100 fwd $fxp_gw all from $user to any out via ed0 00150 count all from any to any out via fxp0 Will our packet match 150th rule? I really hope so, otherwise it isn't so useful as it could be. Haven't checked it myself, but from the quick look over the patch I'm afraid it doesn't change xmit interface name. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060420154345.E79546>