Date: Fri, 20 Jun 2003 14:58:07 -0400 From: Don Bowman <don@sandvine.com> To: 'Luigi Rizzo' <rizzo@icir.org>, Don Bowman <don@sandvine.com> Cc: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: RE: nested ipfw dummynet pipes Message-ID: <FE045D4D9F7AED4CBFF1B3B813C8533702741AFA@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
From: 'Luigi Rizzo' [mailto:rizzo@icir.org] > On Fri, Jun 20, 2003 at 02:18:17PM -0400, Don Bowman wrote: > ... > > Thanks very much, I will check this. I assume this will be true > > for IPFW2 rather than IPFW. > > one_pass actually affect both. > the comment in parentheses refers to "layer 2 firewalling > which is an ipfw2-only fature (bridge firewalling > is also available with ipfw1) This works correctly, thanks very much. Attached is a trivial patch to correct the man page. Is there a benefit to having the single wide pipe first, or the many narrow pipes first, in the ruleset? $ cvs diff -U5 ipfw.8 Index: ipfw.8 =================================================================== RCS file: /usr/cvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.63.2.28 diff -U5 -r1.63.2.28 ipfw.8 --- ipfw.8 30 Sep 2002 20:57:05 -0000 1.63.2.28 +++ ipfw.8 20 Jun 2003 18:49:02 -0000 @@ -1587,14 +1587,10 @@ When set, the packet exiting from the .Xr dummynet 4 pipe is not passed though the firewall again. Otherwise, after a pipe action, the packet is reinjected into the firewall at the next rule. -.Pp -Note: bridged and layer 2 packets coming out of a pipe -are never reinjected in the firewall irrespective of the -value of this variable. .It Em net.inet.ip.fw.verbose : No 1 Enables verbose messages. .It Em net.inet.ip.fw.verbose_limit : No 0 Limits the number of messages produced by a verbose firewall. .It Em net.link.ether.ipfw : No 0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C8533702741AFA>