From owner-freebsd-bugs@FreeBSD.ORG Tue May 6 13:47:17 2003 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A27337B404; Tue, 6 May 2003 13:47:17 -0700 (PDT) Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F95443F93; Tue, 6 May 2003 13:47:15 -0700 (PDT) (envelope-from pawmal@unia.3lo.lublin.pl) Received: from proxy.zin.lublin.pl ([212.182.126.66]:24700 "EHLO towah-xp") by mx1.lublin.pl with ESMTP id ; Tue, 6 May 2003 22:47:04 +0200 From: "Pawel Malachowski" Organization: unidentified flying modems To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Date: Tue, 06 May 2003 22:47:21 +0200 MIME-Version: 1.0 Message-ID: <3EB83B79.16633.10E9496@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:47:17 -0000 Hello, Here is some example: (private IPs)LAN---(fxp1)BOX(fxp0)---Internet There are: . dummynet running on fxp0 . ipnat running on fxp0 Right now outgoing packets on fxp0 go through ipnat and then through dummynet. It is not possible to shape this traffic on per-user basis (for example with src-ip mask) cause after ipnatting all packets have the same source IP. Possible sollutions are: . use dummynet on fxp0 This is not so good idea if I have a huge number of local NICs and subnets cause I have to make exceptions (ipfw skip) for local traffic. It is very easy and natural to use dummynet on fxp0 interface for bandwith limitaion of `Internet' traffic. . use natd instead of ipnat Sucessfully tested, but I simply prefer ipnat. :) So, probably packets flow should be: incoming: IPFilter -> IPFW outgoing: IPFW -> IPFilter This code is `for private use' and is quite bad but does that (4.8): http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff I know submitter tried something similar on his own, too. However, allowing user to decide about order (using sysctls?) would be the best solution. regards, -- Pawel Malachowski