Hi Andrey V. Elsukov! On Wed, 1 Jun 2011 19:44:52 +0000 (UTC); Andrey V. Elsukov <a...@freebsd.org> wrote:
> Log: > O_FORWARD_IP is only action which depends from the result of lookup of > dynamic rules. We are doing forwarding in the following cases: > o For the simple ipfw fwd rule, e.g. > > fwd 10.0.0.1 ip from any to any out xmit em0 > fwd 127.0.0.1,3128 tcp from any to any 80 in recv em1 > > o For the dynamic fwd rule, e.g. > > fwd 192.168.0.1 tcp from any to 10.0.0.3 3333 setup keep-state > > When this rule triggers it creates a dynamic rule, but this > dynamic rule should forward packets only in forward direction. > > o And the last case that does not work before - simple fwd rule which > triggers when some dynamic rule is already executed. [...] > case O_FORWARD_IP: > if (args->eh) /* not valid on layer2 pkts */ > break; > - if (!q || dyn_dir == MATCH_FORWARD) { > + if (q == NULL || q->rule != f || > + dyn_dir == MATCH_FORWARD) { > struct sockaddr_in *sa; > sa = &(((ipfw_insn_sa *)cmd)->sa); The log is not clear in the purpose of the last case: it is used to make a "subroutine" on the execution of dynamic rule instead of only one action (it is clear only from both PRs which takes much time to grok rulesets). Also, it is questionable whether this patch will stay correct in the future when dynamic rules will be changed, and/or new opcodes (depending on packet direction) are added. We should keep in mind this place for such future changes now. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nucli...@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"