From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 20 12:59:36 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 894C116A403 for ; Thu, 20 Apr 2006 12:59:36 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4362D43D45 for ; Thu, 20 Apr 2006 12:59:33 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k3KCxEUe007496; Thu, 20 Apr 2006 15:59:14 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Thu, 20 Apr 2006 15:59:14 +0300 (EEST) From: Dmitry Pryanishnikov To: Ari Suutari In-Reply-To: <444732F8.4040006@suutari.iki.fi> Message-ID: <20060420154345.E79546@atlantis.atlantis.dp.ua> References: <444732F8.4040006@suutari.iki.fi> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-ipfw@freebsd.org Subject: Re: Getting kern/82724 (ipfw defaultroute/setnexthop) committed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2006 12:59:36 -0000 Hello! On Thu, 20 Apr 2006, Ari Suutari wrote: > I have now been running two firewalls with > patch included in kern/82724 since the pr was > created (since june, 2005). Works ok, not a single panic > or other problem. I also think that both 'setnexthop' and 'defaultroute' are very useful missing features. I'd even say that they are more significant omissions that ignored "in/out/via any" (kern/95084). I'd like to see both of PRs commited. It's really hard, e.g., to count and shape overall traffic via interface if you're forwarding it there via several 'fwd' actions w/o having 'setnexthop'. I have just one question about 'setnexthop': does it actualize xmit interface name? E.g., say packet was originally routed via interface ed0, but we've forwarded it out via fxp0: 00100 fwd $fxp_gw all from $user to any out via ed0 00150 count all from any to any out via fxp0 Will our packet match 150th rule? I really hope so, otherwise it isn't so useful as it could be. Haven't checked it myself, but from the quick look over the patch I'm afraid it doesn't change xmit interface name. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE