On Thu, May 13, 2004 at 06:48:56AM -0700, Luigi Rizzo wrote:
> 2.- all other firewall-generated TCP packets (rst and keepalives)
> go through send_pkt() and then bypass the firewall.
> The only way we could safely go through the firewall again is
> to make sure that we never send a RST in re
On Thu, May 13, 2004 at 05:55:05PM +0800, Eugene Grosbein wrote:
...
> > removing the M_SKIP_FIREWALL would let ipfw process the
> > packet too. HOWEVER: i think it is a bug in the general case
> > to reprocess internally-generated packet, because you would rely
> > on a correct ipfw configuration
On Thu, May 13, 2004 at 05:55:05PM +0800, Eugene Grosbein wrote:
E> Please make it possible (using sysctl or any other mean) to
E> disable M_SKIP_FIREWALL for such packets (I suppose 'unreach' rules
E> are affected too). I DO need to process ALL outgoing packets.
E> For exapmle, I must use 'ipfw fw
Luigi Rizzo wrote:
> > Please check. I suspect it does not enter ipfw itself,
>
> yes it does skip the firewall, see ip_fw2.c:send_pkt() near the
> end:
>
> ip_rtaddr(ip->ip_dst, &sro);
> --->m->m_flags |= M_SKIP_FIREWALL;
> ip_output(m, NULL, &sro, 0, NULL, NULL);
>
> remov
On Thu, May 13, 2004 at 05:31:46PM +0800, Eugene Grosbein wrote:
> Luigi Rizzo wrote:
>
> > > When a rule 'reset tcp' matches, a kernel generates new TCP packet.
> > > Will it have to go through ipfw list (from the beginning or not)?
> >
> > ipfw2 uses an mbuf flag to bypass the firewall - I am n
On Thu, May 13, 2004 at 05:31:46PM +0800, Eugene Grosbein wrote:
E> > > When a rule 'reset tcp' matches, a kernel generates new TCP packet.
E> > > Will it have to go through ipfw list (from the beginning or not)?
E> >
E> > ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i
E> > on
Luigi Rizzo wrote:
> > When a rule 'reset tcp' matches, a kernel generates new TCP packet.
> > Will it have to go through ipfw list (from the beginning or not)?
>
> ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i
> only used it for the keepalives or also for TCP reset packets
On Thu, May 13, 2004 at 05:00:47PM +0800, Eugene Grosbein wrote:
> Hi!
>
> When a rule 'reset tcp' matches, a kernel generates new TCP packet.
> Will it have to go through ipfw list (from the beginning or not)?
ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i
only used it for t
