From owner-freebsd-net@FreeBSD.ORG Fri Jun 20 11:58:14 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0261137B401 for ; Fri, 20 Jun 2003 11:58:14 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D08E43F3F for ; Fri, 20 Jun 2003 11:58:13 -0700 (PDT) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id ; Fri, 20 Jun 2003 14:58:12 -0400 Message-ID: From: Don Bowman To: 'Luigi Rizzo' , Don Bowman Date: Fri, 20 Jun 2003 14:58:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" cc: "'freebsd-net@freebsd.org'" Subject: RE: nested ipfw dummynet pipes X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 18:58:14 -0000 From: 'Luigi Rizzo' [mailto:rizzo@icir.org] > On Fri, Jun 20, 2003 at 02:18:17PM -0400, Don Bowman wrote: > ... > > Thanks very much, I will check this. I assume this will be true > > for IPFW2 rather than IPFW. > > one_pass actually affect both. > the comment in parentheses refers to "layer 2 firewalling > which is an ipfw2-only fature (bridge firewalling > is also available with ipfw1) This works correctly, thanks very much. Attached is a trivial patch to correct the man page. Is there a benefit to having the single wide pipe first, or the many narrow pipes first, in the ruleset? $ cvs diff -U5 ipfw.8 Index: ipfw.8 =================================================================== RCS file: /usr/cvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.63.2.28 diff -U5 -r1.63.2.28 ipfw.8 --- ipfw.8 30 Sep 2002 20:57:05 -0000 1.63.2.28 +++ ipfw.8 20 Jun 2003 18:49:02 -0000 @@ -1587,14 +1587,10 @@ When set, the packet exiting from the .Xr dummynet 4 pipe is not passed though the firewall again. Otherwise, after a pipe action, the packet is reinjected into the firewall at the next rule. -.Pp -Note: bridged and layer 2 packets coming out of a pipe -are never reinjected in the firewall irrespective of the -value of this variable. .It Em net.inet.ip.fw.verbose : No 1 Enables verbose messages. .It Em net.inet.ip.fw.verbose_limit : No 0 Limits the number of messages produced by a verbose firewall. .It Em net.link.ether.ipfw : No 0