On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote:
> I'm trying to set up spamd on my firewall system.
> 
> The configuration is tricky because my upstream provider
> (Verizon) only gives me 5 IPs, all on the same subnet.
> 
> The firewall system is acting as a bridge and as a router.

I've been looking through pf.c, if_bridge.c in -current
The changes seem to answer some of my complaints.
I'm going to have to update & run some tests...

I hope all of the team's effort has made this much, much better.

There's one set of tests at lines 5770-5773 of net/pf.c:

        kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
        kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;

        if (action == PF_PASS || r->action == PF_DROP) {

Where I wonder if the tests for PF_PASS should also
include PF_DIVERT? It looks like PF_DIVERT packets would
be incorrectly accounted for in the two single
lines and completely missed in the large block.

   thanks
   geoff

Reply via email to