From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 8 10:50:29 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13BB4106566B for ; Sun, 8 Jan 2012 10:50:29 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id C49FF8FC1E for ; Sun, 8 Jan 2012 10:50:28 +0000 (UTC) Received: by qcse13 with SMTP id e13so2212023qcs.13 for ; Sun, 08 Jan 2012 02:50:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=zh6suZlJZT94Hd+QWQdgL7pqU5SEGWRzCl+/O1pAsAo=; b=kwdeyr0p8tKdGzFeNbB0sD3UryuKu3wNyO+RCf3WO0NEMmNLNY8OT/FMsPashIKASM bA0uQYHXA3mtHNf2vwy0yY7j7w5piT2iUZNyVwWZfVpImr1UNhTKmQXqb/hERGWDCdM7 UQQSx9TrAEounNrLZAIuwga3oy39f8v6IE06M= MIME-Version: 1.0 Received: by 10.224.33.65 with SMTP id g1mr14431438qad.98.1326019827917; Sun, 08 Jan 2012 02:50:27 -0800 (PST) Received: by 10.229.246.133 with HTTP; Sun, 8 Jan 2012 02:50:27 -0800 (PST) In-Reply-To: <20120108165159.M3704@sola.nimnet.asn.au> References: <20120107201823.H3704@sola.nimnet.asn.au> <20120108165159.M3704@sola.nimnet.asn.au> Date: Sun, 8 Jan 2012 17:50:27 +0700 Message-ID: From: budsz To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sun, 08 Jan 2012 11:47:25 +0000 Cc: freebsd-questions@freebsd.org Subject: Re: IPFW transparent VS dummynet rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jan 2012 10:50:29 -0000 On Sun, Jan 8, 2012 at 1:00 PM, Ian Smith wrote: > On Sat, 7 Jan 2012, budsz wrote: > [..] > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 keyword instead of an explicit address. = =A0The search terminates if > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 this rule matches. > =A0> > > =A0> > Note particularly the last sentence. =A0You'll have to do your dum= mynet > =A0> > piping first, if it is to apply also to forwarded packets. > =A0> > > =A0> > (sysctl) > =A0> > =A0 =A0 =A0net.inet.ip.fw.one_pass: 1 > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 When set, the packet exiting from the dumm= ynet pipe or from > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 ng_ipfw(4) node is not passed though the f= irewall again. =A0Other- > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 wise, after an action, the packet is reinj= ected into the firewall > =A0> > =A0 =A0 =A0 =A0 =A0 =A0 at the next rule. > =A0> > > =A0> > It seems that you may have one_pass set to 1. =A0Set to 0, packets= will > =A0> > continue through the ruleset on exit from pipe/s, so to your fwd r= ule. > =A0> > > =A0> > cheers, Ian > =A0> > =A0> Thank you very much, lazy to read ipfw(8) :) > =A0> > =A0> pipe pipe_nr > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0Pass packet to a dummynet ``pipe'' (for b= andwidth limitation, > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0delay, etc.). =A0See the TRAFFIC SHAPER (= DUMMYNET) CONFIGURATION > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0Section for further information. =A0The s= earch terminates; however, > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0on exit from the pipe and if the sysctl(8= ) variable > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0net.inet.ip.fw.one_pass is not set, the p= acket is passed again to > =A0> =A0 =A0 =A0 =A0 =A0 =A0 =A0the firewall code starting from the next = rule. > =A0> > =A0> > =A0> -- > =A0> budsz > > No problem. =A0However it's considered good form to also copy responses > cc'd back to the two lists this thread appears on, for the archives. > > Not that I need the credit, but it shows that the advice was useful, and > that other list members need not also respond, thinking it unresolved. > > cheers, Ian OK,thank you for reminding me :) TIA --=20 budsz From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 9 11:07:06 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A292106566C for ; Mon, 9 Jan 2012 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 87BDB8FC0A for ; Mon, 9 Jan 2012 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q09B76kt042211 for ; Mon, 9 Jan 2012 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q09B75ct042209 for freebsd-ipfw@FreeBSD.org; Mon, 9 Jan 2012 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Jan 2012 11:07:05 GMT Message-Id: <201201091107.q09B75ct042209@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2012 11:07:06 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 41 problems total.