diff options
| author | archie <archie@FreeBSD.org> | 1999-12-06 01:00:24 +0000 |
|---|---|---|
| committer | archie <archie@FreeBSD.org> | 1999-12-06 01:00:24 +0000 |
| commit | a90457c20cb3c0a2d82d14c609f0167531b80ab6 (patch) | |
| tree | 3e072b4ec9c846f363b2fa87708af65dacd16ae1 /sbin | |
| parent | 661f325745c4c13bb5570263611779fbe78f8fd9 (diff) | |
| download | FreeBSD-src-a90457c20cb3c0a2d82d14c609f0167531b80ab6.zip FreeBSD-src-a90457c20cb3c0a2d82d14c609f0167531b80ab6.tar.gz | |
Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
but should continue going through the rule list. This may be fixed
in a later version.
I hope to fix this soon in a separate commit.
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 24 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw.c | 3 |
2 files changed, 10 insertions, 17 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 7444b26..ffe431f 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -374,7 +374,8 @@ Send a copy of packets matching this rule to the .Xr divert 4 socket bound to port .Ar port . -The search continues with the next rule. This feature is not yet implemented. +The search terminates and the original packet is accepted +(but see BUGS below). .It Ar fwd ipaddr Op ,port Change the next-hop on matching packets to .Ar ipaddr , @@ -428,12 +429,6 @@ A may be matched by name or identification number. .El .Pp -If a packet matches more than one -.Ar divert -and/or -.Ar tee -rule, all but the last are ignored. -.Pp If the kernel was compiled with .Dv IPFIREWALL_VERBOSE , then when a packet matches a rule with the @@ -710,10 +705,10 @@ for information on system security levels .Pc . .Sh PACKET DIVERSION A divert socket bound to the specified port will receive all packets diverted -to that port; see +or tee'd to that port; see .Xr divert 4 . If no socket is bound to the destination port, or if the kernel -wasn't compiled with divert socket support, diverted packets are dropped. +wasn't compiled with divert socket support, the packets are dropped. .Sh EXAMPLES This command adds an entry which denies all tcp packets from .Em cracker.evil.org @@ -771,13 +766,14 @@ not accepted. .Pp Incoming packet fragments diverted by .Ar divert -are reassembled before delivery to the socket, whereas fragments diverted via +or .Ar tee -are not. +are reassembled before delivery to the socket. .Pp -The -.Dq tee -action is unimplemented. +Packets that match a +.Ar tee +rule should not be immediately accepted, but should continue +going through the rule list. This may be fixed in a later version. .Sh AUTHORS .An Ugen J. S. Antsilevich , .An Poul-Henning Kamp , diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c index 5a160dc..aaff7d4 100644 --- a/sbin/ipfw/ipfw.c +++ b/sbin/ipfw/ipfw.c @@ -1132,9 +1132,6 @@ add(ac,av) else show_usage("illegal %s port", "tee divert"); } -#ifndef IPFW_TEE_IS_FINALLY_IMPLEMENTED - err(EX_USAGE, "the ``tee'' action is not implemented"); -#endif } else if (!strncmp(*av,"fwd",strlen(*av)) || !strncmp(*av,"forward",strlen(*av))) { struct in_addr dummyip; |
