Date: Wed, 7 Nov 2001 09:34:04 -0800 From: Luigi Rizzo <rizzo@aciri.org> To: cjclark@alum.mit.edu Cc: freebsd-net@FreeBSD.ORG Subject: Re: Fixing ipfw(8)'s 'tee' Message-ID: <20011107093404.B96033@iguana.aciri.org> In-Reply-To: <20011107021241.D307@blossom.cjclark.org> References: <20011107021241.D307@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 07, 2001 at 02:12:41AM -0800, Crist J. Clark wrote: ... > About 'accepted,' but I don't believe this is the intended > behavior. For outgoing packets, one copy is sent to the divert port > and the other is routed to the destination on the packet. ... > I'm not really sure if I understand what 'tee' is needed for. Why > not just have whatever is listening on the 'tee' divert socket write > packets back in? This also works around the issue that 'tee' packets > are immediately accepted by the firewall. But if we want to keep > 'tee,' it probably should work. for sure we can replace tee with divert as you say, but then you would depend on the userland app to do its work (and you could have drops on the divert socket, whereas forwarding within the kernel is much faster). There is not an issue of accept vs. deny a "tee" packet, if you want to deny it you just use a "divert" rule instead. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011107093404.B96033>