Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5
From: Maxim Konovalov (maxim_at_macomnet.ru)
Date: 12/04/04
- Previous message: Andre Oppermann: "Re: route cacheing for gif(4) should be optional"
- In reply to: Andre Oppermann: "Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5"
- Next in thread: Gleb Smirnoff: "Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5"
- Reply: Gleb Smirnoff: "Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 5 Dec 2004 00:53:52 +0300 (MSK) To: Andre Oppermann <andre@freebsd.org>
On Sat, 4 Dec 2004, 21:37+0100, Andre Oppermann wrote:
[...]
> > Investigating pre-PFIL_HOOKS ipfw I have not found any analog of
> > this check. These checks do break some useful functionality:
> >
> > 1) policy routing of hosts from connected networks
> > 2) policy routing of locally originated traffic
> >
> > The second one is used very widely. When you have lines to two
> > ISPs and run natd for both of them, you policy route nated packets
> > to them.
>
> I know. On the other hand having these checks avoids breaking responses
> from the host doing the policy routing towards hosts on connected networks.
>
> In my case I had a problem where the MTU of the policy-routing target
> interface was lower than 1500 but the ICMP fragmentation needed packets
> never made it back to the real host; they were forwarded to the policy
> destination.
>
> This is how I came to this check. It is more correct but indeed breaks
> forwarding packets that were targeted at an IP address configured on a
> local interface. This is an unintended side effect but I haven't found
> a nice solution to work around that. I'm not entirely sure what the
> best way is to handle this and it's also the reason why I haven't changed
> it so far.
>
> If you have suggestions I'm all ears. But think through all cases at least
> twice, there are some nice traps. Fixing one end without breaking another
> one is hard.
IMHO restoring the historic behaviour (even broken in some respects)
is the best thing we can do at the moment.
> > P.S. kern/73129, kern/73910, kern/71910
-- Maxim Konovalov _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Andre Oppermann: "Re: route cacheing for gif(4) should be optional"
- In reply to: Andre Oppermann: "Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5"
- Next in thread: Gleb Smirnoff: "Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5"
- Reply: Gleb Smirnoff: "Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
