error in man ipfw / divert
AT Matik
asstec at matik.com.br
Fri Jul 22 01:11:55 GMT 2005
On Thursday 21 July 2005 19:30, Luigi Rizzo wrote:
>
> as far as ipfw is concerned, the search terminates. it is up to
> the userland app to reinject the packet, and it might well not
> do so if the packet should be processed differntly.
may be the thing is not well explained or not well read
IMO this divert manpage parts are relevant
"Packets are diverted either as they are ``incoming'' or
``outgoing.'' Incoming packets are diverted after reception on an IP
interface, whereas outgoing packets are diverted before next hop
forwarding."
and
"The port part of the socket address passed to the sendto(2) contains
a tag that should be meaningful to the diversion module. In the case
of ipfw(8) the tag is interpreted as the rule number after which rule
processing should restart."
what means for me that either one (in|out) applies after diverting
probably it apllies to the next ipfw rule (but not based on ipfw)
so like Luigi said
> so i believe the ipfw manpage is correct.
I believe this also even if not so good explained in man ipfw, but
what concerns ipfw it is correct because it does not depend on ipfw
if the package goes through it again
but anyway the ipfw manpage BUGS part say it all
so if you do not pay attention to natd flags and divert rule numbers
and options you may think it does not work, still worse when using
more than 2 nics and transparent proxying on the same machine then
standard how-to-natd really does not work as you aspect or does not
work at all
Hans
--
Infomatik Internet Technology
http://www.matik.com.br
A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
More information about the freebsd-ipfw
mailing list