Policy routing idea (Was: ipfw: Would it be possible to
continue processing rest of rules after match ?)
Jeremie Le Hen
jeremie at le-hen.org
Wed Jun 22 18:33:48 GMT 2005
Hi Luigi,
> yes but it is a different action and you may want both types
> of rules in the same ruleset, so a sysctl is out of discussion.
> I really believe the "setnexthop" action is the best approach.
IMHO, making the "fwd" action non-terminal (as the "count" action)
is the best way to achieve this. When net.inet.ip.fw.one_pass is set
to 1, then it will behave like actually. When set to 0, the user
will have to explicitely use an "accept" or a "skipto" rule to stop
going through the rules, in the same way you would do it for a
"pipe" action.
However, the main problem with this approach is that it breaks POLA.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list