Date: Thu, 10 Jul 1997 15:04:19 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: owensc@enc.edu (Charles Owens) Cc: freebsd-hackers@FreeBSD.ORG, ari.suutari@ps.carel.fi Subject: Re: ipfw rules processing order when DIVERTing Message-ID: <199707102204.PAA03534@bubba.whistle.com> In-Reply-To: <Pine.FBS.3.93.970710121015.10980C-100000@dingo.its.enc.edu> from Charles Owens at "Jul 10, 97 12:27:22 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> If I take this as literally as I can, I interpret it as follows > > * Rules before divert rule processed > * Divert rule ships all packets not dropped by above rules > to natd for address translation > * Packets return from natd and are then subjected to ALL rules, > except this time divert rule is skipped This is correct. > This is somewhat counter-intuitive to me. If this how it works, what is > the reason for this design, since, as I think about it, there must be a > performance penalty to this approach (multiple passes of rules). I had There are two reasons for this... 1. The new packet (post-diversion) may be different from the old packet (pre-diversion), so it should be checked again to insure that it doesn't avoid any rules that apply to it. 2. It's a lot easier to code this way :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707102204.PAA03534>