Re: ipf: interaction of "in" and "out" rules

To: tech-net%netbsd.org@localhost
Subject: Re: ipf: interaction of "in" and "out" rules
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Fri, 24 Jul 2015 08:59:24 -0400

On Fri, Jul 24, 2015 at 02:00:00PM +0200, Edgar Fu? wrote:
> The fist question is probably stupidly simple if you know the internals.
> 
> If I have a (non-quick) ipf rule blocking a packet on the incoming side, 
> will a rule on the outgoing side "see" that packet, i.e., is it possible
> to over-rule the "block in" decision with a "pass out" rule?

I believe the rulesets at each filter point are evaluated separately, so
while a non-"quick" input rule can be overriden by a later input rule, it
cannot be overridden by a rule applied at the output filter point.

That said, many years ago I worked on a system that did exactly what
you're asking, by using tags on the packets (sk_buffs not mbufs, since
this was Linux) to transport filter state from one filter point to
another.  I think it would be possible to do this with mbuf tags in
NetBSD but doing so in an efficient way could prove quite hard.

References:
- ipf: interaction of "in" and "out" rules
  - From: Edgar Fuß

Prev by Date: ipf: interaction of "in" and "out" rules
Next by Date: Re: ipf: interaction of "in" and "out" rules
Previous by Thread: ipf: interaction of "in" and "out" rules
Next by Thread: Re: ipf: interaction of "in" and "out" rules
Indexes:

Home | Main Index | Thread Index | Old Index