Re: kern/73129: [patch] IPFW misbehaviour in RELENG_5
From: Maxim Konovalov (maxim_at_macomnet.ru)
Date: Sun, 5 Dec 2004 00:53:52 +0300 (MSK) To: Andre Oppermann <firstname.lastname@example.org>
On Sat, 4 Dec 2004, 21:37+0100, Andre Oppermann wrote:
> > Investigating pre-PFIL_HOOKS ipfw I have not found any analog of
> > this check. These checks do break some useful functionality:
> > 1) policy routing of hosts from connected networks
> > 2) policy routing of locally originated traffic
> > The second one is used very widely. When you have lines to two
> > ISPs and run natd for both of them, you policy route nated packets
> > to them.
> I know. On the other hand having these checks avoids breaking responses
> from the host doing the policy routing towards hosts on connected networks.
> In my case I had a problem where the MTU of the policy-routing target
> interface was lower than 1500 but the ICMP fragmentation needed packets
> never made it back to the real host; they were forwarded to the policy
> This is how I came to this check. It is more correct but indeed breaks
> forwarding packets that were targeted at an IP address configured on a
> local interface. This is an unintended side effect but I haven't found
> a nice solution to work around that. I'm not entirely sure what the
> best way is to handle this and it's also the reason why I haven't changed
> it so far.
> If you have suggestions I'm all ears. But think through all cases at least
> twice, there are some nice traps. Fixing one end without breaking another
> one is hard.
IMHO restoring the historic behaviour (even broken in some respects)
is the best thing we can do at the moment.
> > P.S. kern/73129, kern/73910, kern/71910
-- Maxim Konovalov _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "firstname.lastname@example.org"