Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Jun 2011 16:45:36 +0700
From:      Vadim Goncharov <vadim_nuclight@mail.ru>
To:        "Andrey V. Elsukov" <ae@FreeBSD.org>
Cc:        freebsd-ipfw@FreeBSD.org, svn-src-all@FreeBSD.org
Subject:   Re: svn commit: r222582 - head/sys/netinet/ipfw
Message-ID:  <201106030945.p539ja7J020454@kernblitz.nuclight.avtf.net>
In-Reply-To: =?UTF-8?Q?=3C201106011944=2Ep51JiqRh084264=5F=5F3976=2E0375?= =?UTF-8?Q?3158382=241306957522=24gmane=24org=40svn=2Efreebsd=2Eorg=3E?=
References:  <201106011944.p51JiqRh084264__3976.03753158382$1306957522$gmane$org@svn.freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi Andrey V. Elsukov! 

On Wed, 1 Jun 2011 19:44:52 +0000 (UTC); Andrey V. Elsukov <ae@FreeBSD.org> wrote:

> Log:
>   O_FORWARD_IP is only action which depends from the result of lookup of
>   dynamic rules. We are doing forwarding in the following cases:
>    o For the simple ipfw fwd rule, e.g.
>   
>   	fwd 10.0.0.1 ip from any to any out xmit em0
>   	fwd 127.0.0.1,3128 tcp from any to any 80 in recv em1
>   
>    o For the dynamic fwd rule, e.g.
>   
>    	fwd 192.168.0.1 tcp from any to 10.0.0.3 3333 setup keep-state
>   
>           When this rule triggers it creates a dynamic rule, but this
>   	dynamic rule should forward packets only in forward direction.
>   
>    o And the last case that does not work before - simple fwd rule which
>    triggers when some dynamic rule is already executed.
[...]
>  			case O_FORWARD_IP:
>  				if (args->eh)	/* not valid on layer2 pkts */
>  					break;
> -				if (!q || dyn_dir == MATCH_FORWARD) {
> +				if (q == NULL || q->rule != f ||
> +				    dyn_dir == MATCH_FORWARD) {
>  				    struct sockaddr_in *sa;
>  				    sa = &(((ipfw_insn_sa *)cmd)->sa);

The log is not clear in the purpose of the last case: it is used to make a
"subroutine" on the execution of dynamic rule instead of only one action
(it is clear only from both PRs which takes much time to grok rulesets).

Also, it is questionable whether this patch will stay correct in the future
when dynamic rules will be changed, and/or new opcodes (depending on packet
direction) are added. We should keep in mind this place for such future
changes now.

-- 
WBR, Vadim Goncharov. ICQ#166852181       mailto:vadim_nuclight@mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?201106030945.p539ja7J020454>