o Note that packets diverted using a 'divert' socket, and then

reinserted by a userland process, will lose a number of packet attributes, including their source interface. This may affect the behavior of later rules, and while not strictly a BUG, may cause unexpected behavior if not clearly documented. A similar note for natd(8) might be desirable.
svn path=/head/; revision=88841
2002-01-03 01:00:23 +00:00 · 2002-01-03 01:00:23 +00:00 · e036a58dab · 2020-12-20 02:59:44 +00:00
commit e036a58dab
parent 4b2ee62a91
1 changed files with 9 additions and 0 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -1379,6 +1379,15 @@ Packets that match a
 rule should not be immediately accepted, but should continue
 going through the rule list.
 This may be fixed in a later version.
+.Pp
+Packets diverted to userland, and then reinserted by a userland process
+(such as
+.Xr natd 8 )
+will lose various packet attributes, including their source interface.
+If a packet is reinserted in this manner, later rules may be incorrectly
+applied, making the order of
+.Cm divert
+rules in the rule sequence very important.
 .Sh AUTHORS
 .An Ugen J. S. Antsilevich ,
 .An Poul-Henning Kamp ,