Date: Thu, 15 Aug 2002 00:12:58 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: RFC: new mbuf flag bit needed Message-ID: <3D5B547A.E29F61BA@mindspring.com> References: <20020815000720.B24495@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > ipfw does this using two specific hacks: > + ICMP packets will not generate a response even on "unreach" rules; > + TCP packets with the RST bit set will not generate a response > on "unreach" rules) > > ipfw2 has a harder time because keepalives have nothing very > distinguishable in them (except sequence numbers which refer to old > data; but to detect them requests a lookup of the stateful entry). Why does ipfw2 not do it exactly the way ipfw does it? I don't understand why it has a harder time, since it has all the same information. > So my proposal is to use a different method, and use one of the > m_pkthdr.flags bits as a marker that the packet should bypass the > firewall. I can restrict the change to just ip_fw2.c so no other > parts of the system will need to be modified, except sys/mbuf.h for > the definition of the new bit if we want to give it a meaningful name. Ugh. So all you have to really do is figure a way to force this bit to get set in data, and you can bypass the firewall with all you hack packets? -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D5B547A.E29F61BA>