From owner-freebsd-ipfw@FreeBSD.ORG Sat May 23 00:58:36 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 442B5FA8; Sat, 23 May 2015 00:58:36 +0000 (UTC) Received: from mail.strugglingcoder.info (strugglingcoder.info [65.19.130.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E29B161F; Sat, 23 May 2015 00:58:35 +0000 (UTC) Received: from localhost (unknown [10.1.1.3]) (Authenticated sender: hiren@strugglingcoder.info) by mail.strugglingcoder.info (Postfix) with ESMTPSA id 9CFA2CEA04; Fri, 22 May 2015 17:58:28 -0700 (PDT) Date: Fri, 22 May 2015 17:58:28 -0700 From: hiren panchasara To: Jason Wolfe Cc: Ian Smith , Julian Elischer , freebsd-ipfw@freebsd.org Subject: Re: ipfw on just inbound and not outbound Message-ID: <20150523005828.GL95600@strugglingcoder.info> References: <20150414210901.GA10620@strugglingcoder.info> <552F2F82.1060506@freebsd.org> <20150416164024.B93161@sola.nimnet.asn.au> <20150521194227.GF95600@strugglingcoder.info> <20150521210505.GH95600@strugglingcoder.info> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zH41lVBEV8cLJnCl" Content-Disposition: inline In-Reply-To: <20150521210505.GH95600@strugglingcoder.info> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2015 00:58:36 -0000 --zH41lVBEV8cLJnCl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 05/21/15 at 02:05P, hiren panchasara wrote: > On 05/21/15 at 12:42P, hiren panchasara wrote: > > Getting back to this now to see if I can avoid ipfw on outgoing packets. > >=20 > > @@ -500,7 +507,7 @@ ipfw_hook(int onoff, int pf) > > hook_func =3D (pf =3D=3D AF_LINK) ? ipfw_check_frame : ipfw_che= ck_packet; > > =20 > > (void) (onoff ? pfil_add_hook : pfil_remove_hook) > > - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); > > + (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh); > > =20 > > return 0; > > } > >=20 > > Should this do the right thing? I'll report back once I test this patch. >=20 > I am still seeing ipfw_chk() getting called in my iperf test. Now, if I > also remove PFIL_IN, i.e if I do: > - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); > + (hook_func, NULL, PFIL_WAITOK, pfh); >=20 > I don't see ipfw_chk() getting triggered.=20 >=20 > Somehow incoming traffic is affecting the outgoing traffic? It seems I screwed up something in testing and the following does seem to d= o the right thing: - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); + (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh); I confirmed this with pmcstat callgraphs that ipfw_chk() is not getting called in OUT direction. Any thoughts on this? Is this something that can be upstreamed with a sysctl knob if there is interest? cheers, Hiren --zH41lVBEV8cLJnCl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQF8BAEBCgBmBQJVX9C0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNEUyMEZBMUQ4Nzg4RjNGMTdFNjZGMDI4 QjkyNTBFMTU2M0VERkU1AAoJEIuSUOFWPt/lANgH/1G7ej//YdKBIMesSCOQxkdy hXnx6vdYKCgX9Isbwzl51VcUSlAYEj7a7lfQRKy0GARWq+ptk8hFOgQLJzNaSsFb kqPt1w7JPAnaVtrptn8f73Ejjqc75EVyBbjNOQId2+YdjGzd/vI2ru/ujjudWA3s atXdE5Hqz7doGpioTNW88YGze9Bk1Id6I5pj4dD1TYRQ+/FN8uDpqeXyyFVKBqtl WzzVu1up+uHzO6Ctzd6Lz0QhRtyyMs/1/2IUa6eQNb6UP8zTVKPTw1kv8kAlqfcF 8b0pt2pHYHaEcJqq56zIGM1+jDGqWS8cgRhXOp+Y7EC082eJ4UR0HhpqOehxLgU= =bNUo -----END PGP SIGNATURE----- --zH41lVBEV8cLJnCl--