Currently with "ipfw tee" [as noted in ipfw(8)] "the search terminates and the original packet is accepted." Here is a patch to make "ipfw tee" behave as intended(?). With this patch, after a matching packet is sent to the divert socket, instead of terminating the search and accepting the packet, the search continues so that the packet is checked against any further IPFW rules. Hope this helps. Fix: *** sys/netinet/ip_input.c 2003/12/17 16:20:23 1.1 --- sys/netinet/ip_input.c 2003/12/17 19:49:21 ***************
Responsible Changed From-To: freebsd-bugs->luigi Over to the IPFW author/maintainer.
Sorry but this patch as it is now will break "ipfw divert". The problem is that in the changed to ip_input.c, the final 'return;' should follow the 'if (clone != NULL) { ... }' portion instead of being inside it. i.e. where it now reads .... if (clone != NULL) { ... return; } ... it should instead read ... if (clone != NULL) { ... } return; Sorry about that. Hope this helps. pak.
Responsible Changed From-To: luigi->andre Take over.
State Changed From-To: open->closed Ipfw tee will not be fixed in 4.x due to complexity. For 5.x a fix has been prepared and is tracked under kern/64240.