Date: Thu, 10 Jul 1997 15:58:23 -0700 From: Julian Elischer <julian@whistle.com> To: Archie Cobbs <archie@whistle.com> Cc: Charles Owens <owensc@enc.edu>, freebsd-hackers@FreeBSD.ORG, ari.suutari@ps.carel.fi Subject: Re: ipfw rules processing order when DIVERTing Message-ID: <33C5690F.2C67412E@whistle.com> References: <199707102204.PAA03534@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Archie Cobbs wrote: > > > If I take this as literally as I can, I interpret it as follows > > > > * Rules before divert rule processed > > * Divert rule ships all packets not dropped by above rules > > to natd for address translation > > * Packets return from natd and are then subjected to ALL rules, > > except this time divert rule is skipped > > This is correct. > > > This is somewhat counter-intuitive to me. If this how it works, what is > > the reason for this design, since, as I think about it, there must be a > > performance penalty to this approach (multiple passes of rules). I had > > There are two reasons for this... > > 1. The new packet (post-diversion) may be different from the old packet > (pre-diversion), so it should be checked again to insure that it > doesn't avoid any rules that apply to it. > > 2. It's a lot easier to code this way :-) > Just to be devil's advocate, ;-) I think it could start processing at the next higher number after the one it was diverted from.. in other words it could have an implicit 'skipto (N+1)' rule the 'divert' word to me suggests that it should come back to the same place it left from. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33C5690F.2C67412E>