From owner-freebsd-stable@FreeBSD.ORG  Fri Jul 30 07:00:56 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3025216A4CE
	for <stable@freebsd.org>; Fri, 30 Jul 2004 07:00:56 +0000 (GMT)
Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E74BE43D2F
	for <stable@freebsd.org>; Fri, 30 Jul 2004 07:00:55 +0000 (GMT)
	(envelope-from glenn@antimatter.net)
Received: from glenn-mobile.antimatter.net (66-27-95-123.san.rr.com
	[66.27.95.123])	(authenticated bits=0)i6U70IxZ027611
	(version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO);
	Fri, 30 Jul 2004 00:00:19 -0700
Message-Id: <6.1.0.6.2.20040729234631.04717bc8@cobalt.antimatter.net>
X-Sender: lists@cobalt.antimatter.net
X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6
Date: Thu, 29 Jul 2004 23:59:44 -0700
To: stable@freebsd.org
From: Glenn Dawson <glenn@antimatter.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: clarification regarding netgraph and ipfw
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2004 07:00:56 -0000


Greetings,

I have a firewall running -STABLE.  I'm using ipfw2 for filtering and 
ng_netgraph (via ng_tee) to export netflow data.

According to the man page for ng_ether, the lower hook gets raw ethernet 
frames as they come off the wire.  Reading the man page for ipfw it seems 
to say that if I turn on net.link.ether.ipfw in sysctl that it will also 
get things as they come off the wire.

So my question is, which one gets them first?

The reason I ask is that if I have an ipfw rule to block traffic from an 
IP, will it get counted by ng_netgraph?  Or will ipfw drop the packet 
before it even gets to ng_ether?

If the packets go through ng_ether first and then through ipfw, does anyone 
know if it's possible to reverse that behavior?  I'm doing billing based on 
traffic and don't want the netflow data to include packets that were 
dropped by ipfw.

Thanks in advance for any insight.

-Glenn