Date: Tue, 03 Feb 2015 13:00:02 +0800 From: Julian Elischer <julian@freebsd.org> To: freebsd-net@freebsd.org, Hiroki Sato <hrs@freebsd.org> Subject: Re: Does "setfib" in ipfw forces to re-route packet? Message-ID: <54D055D2.9010503@freebsd.org> In-Reply-To: <54D004A2.4010203@FreeBSD.org> References: <54CEA776.1040505@FreeBSD.org> <65FDDA6C-5910-4FBC-B43B-73BB72526AA5@jnielsen.net> <54D004A2.4010203@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/3/15 7:13 AM, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > And looks like, it is possible. > > Please, look at sys/netinet/ip_output.c, lines 493-535. > > It checks, did packet filter change (a) destination address or (b) > FIB, and if it does, it re-run routing decision. > > So, it will work "as expected" and only documentation need fix :) yes I see the change.. commit 272391 by hrs (CC'd) Hrs, can you fix the documentation? (man pages) ipfw(8) It is important that we always keep the documentation up to date with out source commits. this change of behaviour shoudlhave been accomanied byt a change to the documentation in the actual commit. It should note in hte man page that this is a sub-optimal path because each packet looks up a route twice, and much of ip_output( is run a second time which may be quite expensive if it redoes firewall work etc. (one reason I didn't do this in the first place). I would even consider the following around line 542 (head): if (inp != NULL) { /* switch the socket over so this is it's default FIB now */ np->inp_inc.inc_fibnum = M_GETFIB(m); } also now that we have a fibnum local variable, it should be used instead of all the later M_GETFIB() later in the function. eventually struct route should have a fibnum entry in it. (though some people have suggested it go right away.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54D055D2.9010503>