Date: Mon, 1 Nov 2004 13:09:00 +0100 From: Joost Bekkers <joost@jodocus.org> To: Vincent Poy <vincepoy@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong Message-ID: <20041101120900.GA36917@bps.jodocus.org> In-Reply-To: <429af92e041101021638e8598e@mail.gmail.com> References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 01, 2004 at 02:16:42AM -0800, Vincent Poy wrote: > 63004 667879 129410867 queue 1 tcp from any to any tcpflags ack out > 63005 1 40 queue 2 tcp from any to any dst-port 22,23 out > 63006 38782 3364689 queue 2 udp from any to any not > dst-port 80,443 out > 63007 43021 2194871 queue 3 ip from any to any dst-port 80,443 out > 63008 5467 405319 queue 4 ip from any to any out > > The counters for queue 1 keeps increasing when I do a ftp out even for > non-ACK packets but the other counters for queue 2-4 doesn't move at > all so it seems like everything is going out one queue instead of what > the rules actually say. I have one pipe configured as 480Kbit/sec > which is what rules 63005-63008 does. > How do you define 'non-ack' packets in yopur mind? Your ipfw rule seems to define it as 'having the ack flag set' which is for all intents and purpouses every tcp packet. Only the very first SYN packet doesn't have the ack flag set. -- greetz Joost joost@jodocus.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041101120900.GA36917>