Date: Mon, 18 Dec 2017 11:09:53 -0800 From: David Wolfskill <david@catwhisker.org> To: ipfw@freebsd.org Subject: Rule action "queue" also causes search to terminate, yes? Message-ID: <20171218190953.GU1226@albert.catwhisker.org>
next in thread | raw e-mail | index | archive | help
--B9I4cJCE9PLEoxgz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
The ipfw(8) man page explicitly states that rule actions:
* allow | accept | pass | permit
* deny | drop
* divert
* reset | reset6
* unreach | unreach6
* abort | abort6
cause "search terminat[ion]".
The description for "queue," however, is:
queue queue_nr
Pass packet to a dummynet ``queue'' (for bandwidth limitation
using WF2Q+).
In particular, there is no statement that "The search terminates" (as
there is for the above-cited rule actions).
My (admittedly quick) reading of the code suggests that for the "queue"
rule action, the search does, in fact, terminate. This also seems to be
borne out by empirical evidence (now that I have a "queue" rule in my
active set of rules on my laptop):
=2E..
04300 1086 92998 skipto 60000 udp from 192.168.23.119 to any dst-port 5=
3 keep-state :default
04400 0 0 deny log udp from any to any dst-port 123 iplen 0-75
04500 155 11780 skipto 60000 udp from 192.168.23.119 to any dst-port 1=
23 keep-state :default
04600 0 0 skipto 60000 udp from any 123 to 255.255.255.255 dst-p=
ort 123 keep-state :default
04700 0 0 skipto 60000 udp from 192.168.23.119 to any keep-state=
:default
04800 0 0 deny log ip from any to any
60000 35471 18109017 allow ip from any to any in
60100 32582 5110013 queue 1 ip from any to any out
65535 1 340 deny ip from any to any
So:
* Is my reading of the code -- that "queue" (also) casues the search to
terminate) correct?
* If so, is a change to the ipfw(8) page (to state that explicitly)
warranted? (As someone who was recently trying to figure some of this
stuff out, I believe that such a statement -- if it is true! -- would
have been helpful for me.)
Thanks!
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Given his track record so far, I presume that assertions from Trump are lie=
s.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
--B9I4cJCE9PLEoxgz
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQF8BAEBCgBmBQJaOBKBXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDQ0I3Q0VGOTE3QTgwMUY0MzA2NEQ3N0Ix
NTM5Q0M0MEEwNDlFRTE3AAoJEBU5zECgSe4XXggIAM5/4QcNQZnOvSPU0Lfuxr2v
1yRLF9apX+fjyJ+tZPWOyckVDmirDr7TsxBL6L/ZeDTD2oUw5CAQtbYDBL9G6lkk
efimlxtKFgjXXd1/cEU8N+ZrsC/J8PzZHvZJBEhMxFnIqXxjnG42o5Z42d78ru3Q
5YAgBZ1A43Djj9iOuoXSWZ9GtVDUpHcWPFx1ySwRz76bu4952wTNdcJrkiSrghvB
uD9oY2ed1ozWdWDThkXpK5uTO6GpDuXs09VaRJc3gsiv1ZKnxR2d8uJfK8be8vQn
gU9OQHZt2wdMeaH6VjEJljbebB5x6iZdX3TRQ+0Z2Es1NPLG0CWQM9f6XL14Cuk=
=aUT1
-----END PGP SIGNATURE-----
--B9I4cJCE9PLEoxgz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171218190953.GU1226>