Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Apr 2006 15:59:14 +0300 (EEST)
From:      Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
To:        Ari Suutari <ari@suutari.iki.fi>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Getting kern/82724 (ipfw defaultroute/setnexthop) committed
Message-ID:  <20060420154345.E79546@atlantis.atlantis.dp.ua>
In-Reply-To: <444732F8.4040006@suutari.iki.fi>
References:  <444732F8.4040006@suutari.iki.fi>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Hello!

On Thu, 20 Apr 2006, Ari Suutari wrote:
> I have now been running two firewalls with
> patch included in kern/82724 since the pr was
> created (since june, 2005). Works ok, not a single panic
> or other problem.

  I also think that both 'setnexthop' and 'defaultroute' are very useful 
missing features. I'd even say that they are more significant omissions that
ignored "in/out/via any" (kern/95084). I'd like to see both of PRs commited.
It's really hard, e.g., to count and shape overall traffic via interface
if you're forwarding it there via several 'fwd' actions w/o having
'setnexthop'.

  I have just one question about 'setnexthop': does it actualize xmit interface
name? E.g., say packet was originally routed via interface ed0, but we've
forwarded it out via fxp0:

00100 fwd $fxp_gw all from $user to any out via ed0
00150 count all from any to any out via fxp0

Will our packet match 150th rule? I really hope so, otherwise it isn't so
useful as it could be. Haven't checked it myself, but from the quick look
over the patch I'm afraid it doesn't change xmit interface name.

Sincerely, Dmitry
-- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20060420154345.E79546>