error in man ipfw / divert

AT Matik asstec at
Fri Jul 22 01:11:55 GMT 2005

On Thursday 21 July 2005 19:30, Luigi Rizzo wrote: 
> as far as ipfw is concerned, the search terminates. it is up to
> the userland app to reinject the packet, and it might well not
> do so if the packet should be processed differntly.

may be the thing is not well explained or not well read 

IMO this divert manpage parts are relevant 

 "Packets are diverted either as they are ``incoming'' or 
``outgoing.'' Incoming packets are diverted after reception on an IP 
interface, whereas outgoing packets are diverted before next hop 


"The port part of the socket address passed to the sendto(2) contains 
a tag that should be meaningful to the diversion module.  In the case 
of ipfw(8) the tag is interpreted as the rule number after which rule 
processing should restart."

what means for me that either one (in|out) applies after diverting  
probably it apllies to the next ipfw rule (but not based on ipfw)

so like Luigi said 

> so i believe the ipfw manpage is correct.

I believe this also even if not so good explained in man ipfw, but 
what concerns ipfw it is correct because it does not depend on ipfw 
if the package goes through it again

but anyway the ipfw manpage BUGS part say it all

so if you do not pay attention to natd flags and divert rule numbers 
and options you may think it does not work, still worse when using 
more than 2 nics and transparent proxying on the same machine then 
standard how-to-natd really does not work as you aspect or does not 
work at all



Infomatik Internet Technology

A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik

More information about the freebsd-ipfw mailing list