Re: pf af-to route output

2016-11-22 Thread Alexandr Nedvedicky
On Wed, Nov 23, 2016 at 01:43:59AM +0100, Mike Belopuhov wrote: > On 23 November 2016 at 01:42, Alexander Bluhm wrote: > > On Tue, Nov 22, 2016 at 01:44:09PM +0100, Mike Belopuhov wrote: > >> OK, all I wanted to know was if this is know to work and if it has > >> been

Re: pf af-to route output

2016-11-22 Thread Mike Belopuhov
On 23 November 2016 at 01:42, Alexander Bluhm wrote: > On Tue, Nov 22, 2016 at 01:44:09PM +0100, Mike Belopuhov wrote: >> OK, all I wanted to know was if this is know to work and if it has >> been tested. I'd argue that we don't put the code that doesn't work >> or not

Re: pf af-to route output

2016-11-22 Thread Alexander Bluhm
On Tue, Nov 22, 2016 at 01:44:09PM +0100, Mike Belopuhov wrote: > OK, all I wanted to know was if this is know to work and if it has > been tested. I'd argue that we don't put the code that doesn't work > or not tested or we don't know what it does :) After looking at all the cases, it will be

Re: pf af-to route output

2016-11-22 Thread Mike Belopuhov
On 22 November 2016 at 13:35, Alexander Bluhm wrote: > On Mon, Nov 21, 2016 at 10:47:34PM +0100, Mike Belopuhov wrote: >> On 21 November 2016 at 22:38, Alexandr Nedvedicky >> > The bluhm's change should not alter behavior of older code. >> Yes, it just adds something

Re: pf af-to route output

2016-11-22 Thread Mike Belopuhov
On 22 November 2016 at 13:35, Alexander Bluhm wrote: > On Mon, Nov 21, 2016 at 10:47:34PM +0100, Mike Belopuhov wrote: >> On 21 November 2016 at 22:38, Alexandr Nedvedicky >> > The bluhm's change should not alter behavior of older code. >> Yes, it just adds something

Re: pf af-to route output

2016-11-22 Thread Alexandr Nedvedicky
> So we have a kernel implementation that might work for a feature > that makes sense. Especially the reply-to could be useful. But > the parser is too dumb. I think we should fix the parser and then > test the kernel. I absolutely agree. regards sasha

Re: pf af-to route output

2016-11-22 Thread Alexander Bluhm
On Mon, Nov 21, 2016 at 10:47:34PM +0100, Mike Belopuhov wrote: > On 21 November 2016 at 22:38, Alexandr Nedvedicky > > The bluhm's change should not alter behavior of older code. > Yes, it just adds something new. I did not try to add something new, I have preserved what was there in

Re: pf af-to route output

2016-11-21 Thread Mike Belopuhov
On 21 November 2016 at 22:38, Alexandr Nedvedicky wrote: > I don't have my test bed ready to play with NAT-64 + PBR. The only think > I've > tried is the parser and it seems to me NAT-64 + PBR is problematic: > > echo 'pass in on net1 inet af-to

Re: pf af-to route output

2016-11-21 Thread Alexandr Nedvedicky
On Mon, Nov 21, 2016 at 07:11:23PM +0100, Mike Belopuhov wrote: > On Mon, Nov 14, 2016 at 16:38 +0100, Alexander Bluhm wrote: > > Hi, > > > > The !r->rt case is only used by af-to. pf_route6() calls ip6_output() > > to do the work while pf_route() has some custom implementation for > > that. It

Re: pf af-to route output

2016-11-21 Thread Mike Belopuhov
On Mon, Nov 14, 2016 at 16:38 +0100, Alexander Bluhm wrote: > Hi, > > The !r->rt case is only used by af-to. pf_route6() calls ip6_output() > to do the work while pf_route() has some custom implementation for > that. It is simpler to call ip_output() or ip6_output() from > pf_test() directly. >

Re: pf af-to route output

2016-11-21 Thread Alexander Bluhm
On Sat, Nov 19, 2016 at 09:07:11PM +1300, Richard Procter wrote: > Note, pf_route() calls pf_test() only if (pd->kif->pfik_ifp != ifp). > (I read this as 'pf changed the packet's interface'.) This check was added in the commit: revision 1.218 date: 2002/06/07

Re: pf af-to route output

2016-11-19 Thread Richard Procter
On Mon, 14 Nov 2016, Alexander Bluhm wrote: > Hi, > > The !r->rt case is only used by af-to. pf_route6() calls ip6_output() > to do the work while pf_route() has some custom implementation for > that. It is simpler to call ip_output() or ip6_output() from > pf_test() directly. > > ok? Note,

Re: pf af-to route output

2016-11-19 Thread Alexandr Nedvedicky
Hello, > The !r->rt case is only used by af-to. pf_route6() calls ip6_output() > to do the work while pf_route() has some custom implementation for > that. It is simpler to call ip_output() or ip6_output() from > pf_test() directly. It looks good to me. I'm O.K. with change. regards sasha

Re: pf af-to route output

2016-11-18 Thread Alexander Bluhm
On Mon, Nov 14, 2016 at 04:38:07PM +0100, Alexander Bluhm wrote: > Hi, > > The !r->rt case is only used by af-to. pf_route6() calls ip6_output() > to do the work while pf_route() has some custom implementation for > that. It is simpler to call ip_output() or ip6_output() from > pf_test()

pf af-to route output

2016-11-14 Thread Alexander Bluhm
Hi, The !r->rt case is only used by af-to. pf_route6() calls ip6_output() to do the work while pf_route() has some custom implementation for that. It is simpler to call ip_output() or ip6_output() from pf_test() directly. ok? bluhm Index: net/pf.c