From owner-freebsd-ipfw@freebsd.org  Wed Mar  9 21:03:51 2016
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 296D6AC82A3
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Wed,  9 Mar 2016 21:03:51 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id ED5FBA74
 for <freebsd-ipfw@freebsd.org>; Wed,  9 Mar 2016 21:03:50 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2])
 by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29L3foZ011712;
 Wed, 9 Mar 2016 13:03:45 -0800 (PST)
 (envelope-from truckman@FreeBSD.org)
Message-Id: <201603092103.u29L3foZ011712@gw.catspoiler.org>
Date: Wed, 9 Mar 2016 13:03:41 -0800 (PST)
From: Don Lewis <truckman@FreeBSD.org>
Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules
To: kudzu@tenebras.com
cc: fjwcash@gmail.com, freebsd-ipfw@freebsd.org
In-Reply-To: <CAHu1Y739s7JySU1ho3HzgpSQ65V-wdRYRYLsH3=qSoNu2=MUQg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 21:03:51 -0000

On  9 Mar, Michael Sierchio wrote:
> Rules will only match if all components match. So you seem to understand
> that packets will be seen twice - once IN, once OUT.  If you write
> 
> in recv EXT_IP
> out xmit EXT_IP
> 
> the rule actions won't get executed twice on packets.

That's what I'm using for the dummynet rules.  My concert was if the
re-injected packets were checked by all the rules starting from the top,
in which case out xmit would match both entering and leaving dummynet.
Since the implementation is smart enough to start checking where it
previously left off, then that's not an issue.