Date: Thu, 10 Jul 1997 16:29:50 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: julian@whistle.com (Julian Elischer) Cc: archie@whistle.com, owensc@enc.edu, freebsd-hackers@FreeBSD.ORG, ari.suutari@ps.carel.fi Subject: Re: ipfw rules processing order when DIVERTing Message-ID: <199707102329.QAA04387@bubba.whistle.com> In-Reply-To: <33C5690F.2C67412E@whistle.com> from Julian Elischer at "Jul 10, 97 03:58:23 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > > This is somewhat counter-intuitive to me. If this how it works, what is > > > the reason for this design, since, as I think about it, there must be a > > > performance penalty to this approach (multiple passes of rules). I had > > > > There are two reasons for this... > > > > 1. The new packet (post-diversion) may be different from the old packet > > (pre-diversion), so it should be checked again to insure that it > > doesn't avoid any rules that apply to it. > > > > 2. It's a lot easier to code this way :-) > > > Just to be devil's advocate, ;-) > I think it could start processing at the next higher number > after the one it was diverted from.. > in other words it could have an implicit 'skipto (N+1)' rule > > the 'divert' word to me suggests that it should come back to the same > place it left from. :) Yes! ``It could start processing at the next higher number.'' I agree with that :-) The problem is that when the packet returns to the kernel from user-land, that bit of state that says "this packet has already seen rules 1-2000 (or whatever)" is lost, and you can't retrieve it. The only way to do this would be for the user-land process to send back some additional info that says "skip to rule 2000". Doable, but .. not very pretty? -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707102329.QAA04387>