From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 4 17:44:47 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 806B0106566C for ; Wed, 4 Nov 2009 17:44:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outH.internet-mail-service.net (outh.internet-mail-service.net [216.240.47.231]) by mx1.freebsd.org (Postfix) with ESMTP id 68A428FC14 for ; Wed, 4 Nov 2009 17:44:47 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id BE8F614DCCB; Wed, 4 Nov 2009 09:44:48 -0800 (PST) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id C63FA2D6013; Wed, 4 Nov 2009 09:44:46 -0800 (PST) Message-ID: <4AF1BD8E.207@elischer.org> Date: Wed, 04 Nov 2009 09:44:46 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: jakub References: <1257352643.7731.8.camel@dell> In-Reply-To: <1257352643.7731.8.camel@dell> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Diverting sockets and streams X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2009 17:44:47 -0000 jakub wrote: > Hi list, > > I have a newbie question about divert sockets but I can't find a direct > answer. > > I have a rule like this: > > ipfw add divert 5555 tcp from me to any 80 keep-state > > If I understand it correctly, in order to check the data stream properly > I have to deal with: > > 1. packet reordering > 2. packet duplication yes, divert treats each packet individually with the exception of frags which it reassembles. > > so basically I have to implement part of the TCP stack in my app. yes, though there may be other ways to do what you want.. what DO you want to do? > > I don't have to bother with fragmentation (according to man pages). > I won't be able to understand IPSec packets as I will get encrypted IP > frames. yes > > Am I correct? Or can you please tell me how it really works? packets enter the system and are run through the IP stack where the first thing they hit is ipfw. in ipfw the divert rule forces them to the divert code (which does reassembly but that's all) and passes the result to a divert socket. there is apossibilty that done correctly with ESP one migh tb eab;e to get to the unencrypted packet but you'd have to read the code starting at ip_input() in ip_input.c to check for sure. > > Thanks a lot, > > Jakub > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"