Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Mar 2016 13:03:41 -0800 (PST)
From:      Don Lewis <truckman@FreeBSD.org>
To:        kudzu@tenebras.com
Cc:        fjwcash@gmail.com, freebsd-ipfw@freebsd.org
Subject:   Re: ipwf dummynet vs. kernel NAT and firewall rules
Message-ID:  <201603092103.u29L3foZ011712@gw.catspoiler.org>
In-Reply-To: <CAHu1Y739s7JySU1ho3HzgpSQ65V-wdRYRYLsH3=qSoNu2=MUQg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On  9 Mar, Michael Sierchio wrote:
> Rules will only match if all components match. So you seem to understand
> that packets will be seen twice - once IN, once OUT.  If you write
> 
> in recv EXT_IP
> out xmit EXT_IP
> 
> the rule actions won't get executed twice on packets.

That's what I'm using for the dummynet rules.  My concert was if the
re-injected packets were checked by all the rules starting from the top,
in which case out xmit would match both entering and leaving dummynet.
Since the implementation is smart enough to start checking where it
previously left off, then that's not an issue.




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?201603092103.u29L3foZ011712>