Date: Tue, 06 May 2003 22:47:21 +0200 From: "Pawel Malachowski" <pawmal@unia.3lo.lublin.pl> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Message-ID: <3EB83B79.16633.10E9496@localhost>
next in thread | raw e-mail | index | archive | help
Hello, Here is some example: (private IPs)LAN---(fxp1)BOX(fxp0)---Internet There are: . dummynet running on fxp0 . ipnat running on fxp0 Right now outgoing packets on fxp0 go through ipnat and then through dummynet. It is not possible to shape this traffic on per-user basis (for example with src-ip mask) cause after ipnatting all packets have the same source IP. Possible sollutions are: . use dummynet on fxp0 This is not so good idea if I have a huge number of local NICs and subnets cause I have to make exceptions (ipfw skip) for local traffic. It is very easy and natural to use dummynet on fxp0 interface for bandwith limitaion of `Internet' traffic. . use natd instead of ipnat Sucessfully tested, but I simply prefer ipnat. :) So, probably packets flow should be: incoming: IPFilter -> IPFW outgoing: IPFW -> IPFilter This code is `for private use' and is quite bad but does that (4.8): http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff I know submitter tried something similar on his own, too. However, allowing user to decide about order (using sysctls?) would be the best solution. regards, -- Pawel Malachowski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EB83B79.16633.10E9496>