Date: Sun, 8 Jan 2012 17:50:27 +0700 From: budsz <budiyt@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW transparent VS dummynet rules Message-ID: <CADM2n7jciiJgouVGdM6YU3%2B0=CjKNNq1x_Cq6wROUdsdP1qHMw@mail.gmail.com> In-Reply-To: <20120108165159.M3704@sola.nimnet.asn.au> References: <CADM2n7j8sB2UX1-_J1RWsGFJfBQd9ZhNthCY%2BVy4VzQVcSTZ-g@mail.gmail.com> <20120107201823.H3704@sola.nimnet.asn.au> <CADM2n7gpENd_ZL1DxbuvMj1vgOYnFDhADNgiCkJBDgZ2DPku6Q@mail.gmail.com> <20120108165159.M3704@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 8, 2012 at 1:00 PM, Ian Smith <smithi@nimnet.asn.au> wrote: > On Sat, 7 Jan 2012, budsz wrote: > [..] > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 keyword instead of an explicit address. = =A0The search terminates if > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 this rule matches. > =A0> > > =A0> > Note particularly the last sentence. =A0You'll have to do your dum= mynet > =A0> > piping first, if it is to apply also to forwarded packets. > =A0> > > =A0> > (sysctl) > =A0> > =A0 =A0 =A0net.inet.ip.fw.one_pass: 1 > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 When set, the packet exiting from the dumm= ynet pipe or from > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 ng_ipfw(4) node is not passed though the f= irewall again. =A0Other- > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 wise, after an action, the packet is reinj= ected into the firewall > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 at the next rule. > =A0> > > =A0> > It seems that you may have one_pass set to 1. =A0Set to 0, packets= will > =A0> > continue through the ruleset on exit from pipe/s, so to your fwd r= ule. > =A0> > > =A0> > cheers, Ian > =A0> > =A0> Thank you very much, lazy to read ipfw(8) :) > =A0> > =A0> pipe pipe_nr > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0Pass packet to a dummynet ``pipe'' (for b= andwidth limitation, > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0delay, etc.). =A0See the TRAFFIC SHAPER (= DUMMYNET) CONFIGURATION > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0Section for further information. =A0The s= earch terminates; however, > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0on exit from the pipe and if the sysctl(8= ) variable > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0net.inet.ip.fw.one_pass is not set, the p= acket is passed again to > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0the firewall code starting from the next = rule. > =A0> > =A0> > =A0> -- > =A0> budsz > > No problem. =A0However it's considered good form to also copy responses > cc'd back to the two lists this thread appears on, for the archives. > > Not that I need the credit, but it shows that the advice was useful, and > that other list members need not also respond, thinking it unresolved. > > cheers, Ian OK,thank you for reminding me :) TIA --=20 budsz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADM2n7jciiJgouVGdM6YU3%2B0=CjKNNq1x_Cq6wROUdsdP1qHMw>