clarification on /etc/rc.firewall ("in via ..." commands etc.)
Michael Sierchio
kudzu at tenebras.com
Tue Jul 15 17:07:50 PDT 2003
Luigi Rizzo wrote:
> Hi,
> I was looking at /etc/rc.firewall, and noticed that there is a
> number of rules with "... in via $ifname".
>
> Looking at the ipfw1 code:
> + "in" only matches if a packet has a receive interface associated with it.
>
> + "via $ifname" matches
> 1) the xmit interface is one is associated with the packet, or
> 2) the receive interface if one is associated with the packet, or
> 3) it fails if no interfaces are associated with the packet.
>
> So, my first question is where in our protocol stack we can have
> packets with neither receive or xmit interfaces;
>
> The second question is whether the sequence "in via $ifname"
> should be replaced by "in recv $ifname" (which is in my opinion
> makes it more clear which traffic is being matched.
On a slightly tangential note, isn't it still the case that
a packet that gas been returned by natd (or any divert daemon)
has lost any knowledge of its "in recv" interface?
More information about the freebsd-ipfw
mailing list