From owner-freebsd-current@FreeBSD.ORG Tue Oct 26 18:19:16 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D528916A4CE; Tue, 26 Oct 2004 18:19:16 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE44843D53; Tue, 26 Oct 2004 18:19:16 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 5779E7A423; Tue, 26 Oct 2004 11:19:16 -0700 (PDT) Message-ID: <417E9524.4030609@elischer.org> Date: Tue, 26 Oct 2004 11:19:16 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: John Hay References: <417B128B.7080904@gddsn.org.cn> <20041024133045.40733f45@dolphin.local.net> <417D5E51.2060100@freebsd.org> <1098735588.41693.4.camel@server.mcneil.com> <417D6148.6050807@freebsd.org> <20041026063545.GA57014@zibbi.icomtek.csir.co.za> <417E4598.1090902@freebsd.org> <20041026161757.GA77267@zibbi.icomtek.csir.co.za> In-Reply-To: <20041026161757.GA77267@zibbi.icomtek.csir.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-current@freebsd.org cc: Andre Oppermann Subject: Re: make buildkernel failed related to ip_divert module X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Oct 2004 18:19:17 -0000 John Hay wrote: >>>Is there any harm in making IPFIREWALL_FORWARD default for the ipfw >>>module? For that matter, why have a separate FORWARD option and not >>>just have it as part of the standard firewall stuff? >>> >>> >>The reason is simple. FORWARD modifies the entire ip_input(), ip_output() >>and tcp_input() path. This is not something that should be in stock kernels >>unless you want to use 'ipfw fwd' (which is only a minority). >> >> > >Ok, what about another module, called say ipfwfwd or something, that is >ipfw compiled with forwarding? Then one can just load the one >apropriate for you. > no you misunderstood what he said..the IPFIREWALL_FORWARD option not only modifies the ipfw module but also modifies teh IP stack.. a special ipfw module would only have done half the change.. I don't know how it would fail... catastrophic or not, but it would definitly fail to work..