Date: Thu, 2 Dec 2004 16:40:41 +0300 From: Gleb Smirnoff <glebius@freebsd.org> To: andre@freebsd.org Cc: net@freebsd.org Subject: Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5 Message-ID: <20041202134041.GB32699@cell.sick.ru> In-Reply-To: <200412021322.iB2DMxLj066304@freefall.freebsd.org> References: <200412021322.iB2DMxLj066304@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Andre,
what is reason for these two checks in ip_output():
if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
m_tag_delete(m, fwd_tag);
goto again;
} else {
m_tag_delete(m, fwd_tag);
/* Continue. */
}
Investigating pre-PFIL_HOOKS ipfw I have not found any analog of this check.
These checks do break some useful functionality:
1) policy routing of hosts from connected networks
2) policy routing of locally originated traffic
The second one is used very widely. When you have lines to two ISPs and
run natd for both of them, you policy route nated packets to them.
P.S. kern/73129, kern/73910, kern/71910
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041202134041.GB32699>