Bug 60377

Summary:

[patch] to make "ipfw tee" behave as intended.

Product:

Base System

Reporter:

P Kern <pak>

Component:

kern

Assignee:

Andre Oppermann <andre>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

pak

Priority:

Normal

Version:

4.9-RELEASE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none

Description P Kern 2003-12-18 22:50:20 UTC

	Currently with "ipfw tee" [as noted in ipfw(8)]
	  "the search terminates and the original packet is accepted."
	Here is a patch to make "ipfw tee" behave as intended(?).
	With this patch, after a matching packet is sent to the divert
	socket, instead of terminating the search and accepting the
	packet, the search continues so that the packet is checked
	against any further IPFW rules.

	Hope this helps.

Fix: *** sys/netinet/ip_input.c	2003/12/17 16:20:23	1.1
--- sys/netinet/ip_input.c	2003/12/17 19:49:21
***************

Comment 1 Peter Pentchev freebsd_committer

2003-12-19 06:55:43 UTC

Responsible Changed
From-To: freebsd-bugs->luigi

Over to the IPFW author/maintainer.

Comment 2 P Kern 2004-01-15 21:46:31 UTC

Sorry but this patch as it is now will break "ipfw divert".
The problem is that in the changed to ip_input.c, the final
'return;' should follow the 'if (clone != NULL) { ... }'
portion instead of being inside it.
i.e. where it now reads ....

	if (clone != NULL) {
		...
		return;
	}

... it should instead read ...

	if (clone != NULL) {
		...
	}
	return;


Sorry about that. Hope this helps. pak.

Comment 3 Andre Oppermann freebsd_committer

2004-08-24 19:10:04 UTC

Responsible Changed
From-To: luigi->andre

Take over.

Comment 4 Andre Oppermann freebsd_committer

2004-09-09 13:27:06 UTC

State Changed
From-To: open->closed

Ipfw tee will not be fixed in 4.x due to complexity.  For 5.x a fix has been prepared 
and is tracked under kern/64240.