Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jan 2004 23:42:14 +0100
From:      Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
To:        Sten Daniel S?rsdal <sten.daniel.sorsdal@wan.no>
Cc:        ipfw@freebsd.org
Subject:   Re: semantics of 'not-applicable' options in ipfw ?
Message-ID:  <20040114224214.GB72981@shellma.zin.lublin.pl>
In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F5D9779@exchange.wanglobal.net>
References:  <0AF1BBDF1218F14E9B4CCE414744E70F5D9779@exchange.wanglobal.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Jan 14, 2004 at 06:04:45PM +0100, Sten Daniel S?rsdal wrote:

> I also believe that "via" option also causes the same kind of confussion.

Going offtopic, but...

That's true, people have problems with `via', it is a common practice
to construct not-to-specific rules and to send packets via dummynet
pipe twice, for example. ;) It is explained in ipfw(8), but not so clear
for newbies.
I personally prefer `in recv' and `out xmit' only, to make rulesets clear.

Also lots of howtos and natd(8) uses `via' in examples with divert/natd.
That's not good cause when someone is trying to work with both natd and
dummynet, classifying packets on per-private-IP basis on exteral interface,
it is better to split divert rule in the following manner:
  ipfw add divert natd ip from any to PUBLIC-IP-FOR-NAT[1] in recv NIC
  //now we have access to PRIVATE IPs for incoming packets and we can shape traffic on per-local-user basis
  //we also have access to PRIVATE IPs for outgoing packets since they were not passed throug natd
  ipfw add (dummynet rules here)
  ipfw add divert natd ip from PRIVATE-NET[1] to any out xmit NIC

[1] Using PUBLIC-IP-FOR-NAT explicitly rather than `all' is better,
    because we avoid sending to divert socket packets destinated for
    other, public IP addressess in our LAN.
    Using PRIVATE-NET explicitly is better, because we avoid sending
    to divert socket packets from public IP addresses from our LAN.


While we are near confussions, I know `queue' keyword is problematic
for newbie dummynet users, because it has two different meanings,
pipe has its queue and queue has its queue, also bunch of queues
can be assigned with pipe, etc. ;) I usually explain newbies pipe
as pipe, queue as queue ;) and queue (KB/slots) as a `buffersize'.
It is also not clear in ipfw(8) what are these `slots', guessing
just `packets', and what are advanteges or disadvanteges of using
`slots' or `KB' unit.

> By the way, do you have any plans to implement a tag/flag system?
> ( example:
> 	100 flag 100 src-port 100
> 	200 allow flag 100
> )

Someone may find it useful, especially with some kind of `skipto 0'
available. ;)


-- 
Paweł Małachowski



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040114224214.GB72981>