Date: Sun, 8 Jan 2012 17:50:27 +0700 From: budsz <budiyt@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW transparent VS dummynet rules Message-ID: <CADM2n7jciiJgouVGdM6YU3%2B0=CjKNNq1x_Cq6wROUdsdP1qHMw@mail.gmail.com> In-Reply-To: <20120108165159.M3704@sola.nimnet.asn.au> References: <CADM2n7j8sB2UX1-_J1RWsGFJfBQd9ZhNthCY%2BVy4VzQVcSTZ-g@mail.gmail.com> <20120107201823.H3704@sola.nimnet.asn.au> <CADM2n7gpENd_ZL1DxbuvMj1vgOYnFDhADNgiCkJBDgZ2DPku6Q@mail.gmail.com> <20120108165159.M3704@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 8, 2012 at 1:00 PM, Ian Smith <smithi@nimnet.asn.au> wrote: > On Sat, 7 Jan 2012, budsz wrote: > [..] > > > keyword instead of an explicit address. The search terminates if > > > this rule matches. > > > > > > Note particularly the last sentence. You'll have to do your dummynet > > > piping first, if it is to apply also to forwarded packets. > > > > > > (sysctl) > > > net.inet.ip.fw.one_pass: 1 > > > When set, the packet exiting from the dummynet pipe or from > > > ng_ipfw(4) node is not passed though the firewall again. Other- > > > wise, after an action, the packet is reinjected into the firewall > > > at the next rule. > > > > > > It seems that you may have one_pass set to 1. Set to 0, packets will > > > continue through the ruleset on exit from pipe/s, so to your fwd rule. > > > > > > cheers, Ian > > > > Thank you very much, lazy to read ipfw(8) :) > > > > pipe pipe_nr > > Pass packet to a dummynet ``pipe'' (for bandwidth limitation, > > delay, etc.). See the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION > > Section for further information. The search terminates; however, > > on exit from the pipe and if the sysctl(8) variable > > net.inet.ip.fw.one_pass is not set, the packet is passed again to > > the firewall code starting from the next rule. > > > > > > -- > > budsz > > No problem. However it's considered good form to also copy responses > cc'd back to the two lists this thread appears on, for the archives. > > Not that I need the credit, but it shows that the advice was useful, and > that other list members need not also respond, thinking it unresolved. > > cheers, Ian OK,thank you for reminding me :) TIA -- budsz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADM2n7jciiJgouVGdM6YU3%2B0=CjKNNq1x_Cq6wROUdsdP1qHMw>