Date: Fri, 22 May 2015 17:58:28 -0700 From: hiren panchasara <hiren@strugglingcoder.info> To: Jason Wolfe <nitroboost@gmail.com> Cc: Ian Smith <smithi@nimnet.asn.au>, Julian Elischer <julian@freebsd.org>, freebsd-ipfw@freebsd.org Subject: Re: ipfw on just inbound and not outbound Message-ID: <20150523005828.GL95600@strugglingcoder.info> In-Reply-To: <20150521210505.GH95600@strugglingcoder.info> References: <20150414210901.GA10620@strugglingcoder.info> <552F2F82.1060506@freebsd.org> <20150416164024.B93161@sola.nimnet.asn.au> <CAAAm0r0uZbbW5mVRVsOE-ooqqTDngM9Z2dMpECihoGR9=Tn=Vg@mail.gmail.com> <20150521194227.GF95600@strugglingcoder.info> <20150521210505.GH95600@strugglingcoder.info>
next in thread | previous in thread | raw e-mail | index | archive | help
--zH41lVBEV8cLJnCl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 05/21/15 at 02:05P, hiren panchasara wrote: > On 05/21/15 at 12:42P, hiren panchasara wrote: > > Getting back to this now to see if I can avoid ipfw on outgoing packets. > >=20 > > @@ -500,7 +507,7 @@ ipfw_hook(int onoff, int pf) > > hook_func =3D (pf =3D=3D AF_LINK) ? ipfw_check_frame : ipfw_che= ck_packet; > > =20 > > (void) (onoff ? pfil_add_hook : pfil_remove_hook) > > - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); > > + (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh); > > =20 > > return 0; > > } > >=20 > > Should this do the right thing? I'll report back once I test this patch. >=20 > I am still seeing ipfw_chk() getting called in my iperf test. Now, if I > also remove PFIL_IN, i.e if I do: > - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); > + (hook_func, NULL, PFIL_WAITOK, pfh); >=20 > I don't see ipfw_chk() getting triggered.=20 >=20 > Somehow incoming traffic is affecting the outgoing traffic? It seems I screwed up something in testing and the following does seem to d= o the right thing: - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); + (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh); I confirmed this with pmcstat callgraphs that ipfw_chk() is not getting called in OUT direction. Any thoughts on this? Is this something that can be upstreamed with a sysctl knob if there is interest? cheers, Hiren --zH41lVBEV8cLJnCl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQF8BAEBCgBmBQJVX9C0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNEUyMEZBMUQ4Nzg4RjNGMTdFNjZGMDI4 QjkyNTBFMTU2M0VERkU1AAoJEIuSUOFWPt/lANgH/1G7ej//YdKBIMesSCOQxkdy hXnx6vdYKCgX9Isbwzl51VcUSlAYEj7a7lfQRKy0GARWq+ptk8hFOgQLJzNaSsFb kqPt1w7JPAnaVtrptn8f73Ejjqc75EVyBbjNOQId2+YdjGzd/vI2ru/ujjudWA3s atXdE5Hqz7doGpioTNW88YGze9Bk1Id6I5pj4dD1TYRQ+/FN8uDpqeXyyFVKBqtl WzzVu1up+uHzO6Ctzd6Lz0QhRtyyMs/1/2IUa6eQNb6UP8zTVKPTw1kv8kAlqfcF 8b0pt2pHYHaEcJqq56zIGM1+jDGqWS8cgRhXOp+Y7EC082eJ4UR0HhpqOehxLgU= =bNUo -----END PGP SIGNATURE----- --zH41lVBEV8cLJnCl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150523005828.GL95600>