Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Jun 2011 16:45:36 +0700
From:      Vadim Goncharov <>
To:        "Andrey V. Elsukov" <>
Subject:   Re: svn commit: r222582 - head/sys/netinet/ipfw
Message-ID:  <>
In-Reply-To: =?UTF-8?Q?=3C201106011944=2Ep51JiqRh084264=5F=5F3976=2E0375?= =?UTF-8?Q?3158382=241306957522=24gmane=24org=40svn=2Efreebsd=2Eorg=3E?=
References:  <201106011944.p51JiqRh084264__3976.03753158382$1306957522$gmane$>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi Andrey V. Elsukov! 

On Wed, 1 Jun 2011 19:44:52 +0000 (UTC); Andrey V. Elsukov <> wrote:

> Log:
>   O_FORWARD_IP is only action which depends from the result of lookup of
>   dynamic rules. We are doing forwarding in the following cases:
>    o For the simple ipfw fwd rule, e.g.
>   	fwd ip from any to any out xmit em0
>   	fwd,3128 tcp from any to any 80 in recv em1
>    o For the dynamic fwd rule, e.g.
>    	fwd tcp from any to 3333 setup keep-state
>           When this rule triggers it creates a dynamic rule, but this
>   	dynamic rule should forward packets only in forward direction.
>    o And the last case that does not work before - simple fwd rule which
>    triggers when some dynamic rule is already executed.
>  			case O_FORWARD_IP:
>  				if (args->eh)	/* not valid on layer2 pkts */
>  					break;
> -				if (!q || dyn_dir == MATCH_FORWARD) {
> +				if (q == NULL || q->rule != f ||
> +				    dyn_dir == MATCH_FORWARD) {
>  				    struct sockaddr_in *sa;
>  				    sa = &(((ipfw_insn_sa *)cmd)->sa);

The log is not clear in the purpose of the last case: it is used to make a
"subroutine" on the execution of dynamic rule instead of only one action
(it is clear only from both PRs which takes much time to grok rulesets).

Also, it is questionable whether this patch will stay correct in the future
when dynamic rules will be changed, and/or new opcodes (depending on packet
direction) are added. We should keep in mind this place for such future
changes now.

WBR, Vadim Goncharov. ICQ#166852181
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][][LJ:/nuclight]

Want to link to this message? Use this URL: <>