Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
but should continue going through the rule list. This may be fixed
in a later version.
I hope to fix this soon in a separate commit.
This commit is contained in:
Archie Cobbs
parent
218ca1e3ef
commit
56345b0f5c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=54177
@ -374,7 +374,8 @@ Send a copy of packets matching this rule to the
|
||||
.Xr divert 4
|
||||
socket bound to port
|
||||
.Ar port .
|
||||
The search continues with the next rule. This feature is not yet implemented.
|
||||
The search terminates and the original packet is accepted
|
||||
(but see BUGS below).
|
||||
.It Ar fwd ipaddr Op ,port
|
||||
Change the next-hop on matching packets to
|
||||
.Ar ipaddr ,
|
||||
@ -428,12 +429,6 @@ A
|
||||
may be matched by name or identification number.
|
||||
.El
|
||||
.Pp
|
||||
If a packet matches more than one
|
||||
.Ar divert
|
||||
and/or
|
||||
.Ar tee
|
||||
rule, all but the last are ignored.
|
||||
.Pp
|
||||
If the kernel was compiled with
|
||||
.Dv IPFIREWALL_VERBOSE ,
|
||||
then when a packet matches a rule with the
|
||||
@ -710,10 +705,10 @@ for information on system security levels
|
||||
.Pc .
|
||||
.Sh PACKET DIVERSION
|
||||
A divert socket bound to the specified port will receive all packets diverted
|
||||
to that port; see
|
||||
or tee'd to that port; see
|
||||
.Xr divert 4 .
|
||||
If no socket is bound to the destination port, or if the kernel
|
||||
wasn't compiled with divert socket support, diverted packets are dropped.
|
||||
wasn't compiled with divert socket support, the packets are dropped.
|
||||
.Sh EXAMPLES
|
||||
This command adds an entry which denies all tcp packets from
|
||||
.Em cracker.evil.org
|
||||
@ -771,13 +766,14 @@ not accepted.
|
||||
.Pp
|
||||
Incoming packet fragments diverted by
|
||||
.Ar divert
|
||||
are reassembled before delivery to the socket, whereas fragments diverted via
|
||||
or
|
||||
.Ar tee
|
||||
are not.
|
||||
are reassembled before delivery to the socket.
|
||||
.Pp
|
||||
The
|
||||
.Dq tee
|
||||
action is unimplemented.
|
||||
Packets that match a
|
||||
.Ar tee
|
||||
rule should not be immediately accepted, but should continue
|
||||
going through the rule list. This may be fixed in a later version.
|
||||
.Sh AUTHORS
|
||||
.An Ugen J. S. Antsilevich ,
|
||||
.An Poul-Henning Kamp ,
|
||||
|
||||
@ -1132,9 +1132,6 @@ add(ac,av)
|
||||
else
|
||||
show_usage("illegal %s port", "tee divert");
|
||||
}
|
||||
#ifndef IPFW_TEE_IS_FINALLY_IMPLEMENTED
|
||||
err(EX_USAGE, "the ``tee'' action is not implemented");
|
||||
#endif
|
||||
} else if (!strncmp(*av,"fwd",strlen(*av)) ||
|
||||
!strncmp(*av,"forward",strlen(*av))) {
|
||||
struct in_addr dummyip;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user