On Fri, Mar 16, 2001 at 09:02:15AM -0600, Nick Rogness wrote:
> On Fri, 16 Mar 2001, Ruslan Ermilov wrote:
>
> > Pretty much correct.
> >
> > 1) kernel sends packet to divert socket
> > 2) natd reads from divert socket
> > 3) natd screws with it
> > 4) natd writes the packet to divert socket; the packet
> > is treated as a completely new entity
> > 5) divert socket's output routine reinjects the packet
> > back "into the normal kernel IP packet processing", not into
> > firewall
>
> Hmm. You pass it a 'tag' which, I thought, is the ipfw
> rule number of the firewall after which rule processing should
> restart. I think I understand your point though.
>
I wanted to point you that div_output() (netinet/ip_divert.c) does not
call IPFW directly; it is passed a tag from the user process, it then
calls either ip_input() or ip_output() depending on whether a packet
was written as incoming or outgoing, this this is ip_input() or
ip_output() who check with IPFW.
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
[EMAIL PROTECTED] Sunbay Software AG,
[EMAIL PROTECTED] FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
