Date: Thu, 29 Jul 2004 23:59:44 -0700 From: Glenn Dawson <glenn@antimatter.net> To: stable@freebsd.org Subject: clarification regarding netgraph and ipfw Message-ID: <6.1.0.6.2.20040729234631.04717bc8@cobalt.antimatter.net>
next in thread | raw e-mail | index | archive | help
Greetings, I have a firewall running -STABLE. I'm using ipfw2 for filtering and ng_netgraph (via ng_tee) to export netflow data. According to the man page for ng_ether, the lower hook gets raw ethernet frames as they come off the wire. Reading the man page for ipfw it seems to say that if I turn on net.link.ether.ipfw in sysctl that it will also get things as they come off the wire. So my question is, which one gets them first? The reason I ask is that if I have an ipfw rule to block traffic from an IP, will it get counted by ng_netgraph? Or will ipfw drop the packet before it even gets to ng_ether? If the packets go through ng_ether first and then through ipfw, does anyone know if it's possible to reverse that behavior? I'm doing billing based on traffic and don't want the netflow data to include packets that were dropped by ipfw. Thanks in advance for any insight. -Glenn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.1.0.6.2.20040729234631.04717bc8>