From owner-freebsd-stable@FreeBSD.ORG Fri Jul 30 07:11:32 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DDFE16A4CE for ; Fri, 30 Jul 2004 07:11:32 +0000 (GMT) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 103DB43D5D for ; Fri, 30 Jul 2004 07:11:32 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (66-27-95-123.san.rr.com [66.27.95.123]) (authenticated bits=0)i6U7BLQV027925 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO) for ; Fri, 30 Jul 2004 00:11:22 -0700 Message-Id: <6.1.0.6.2.20040730000958.049ff320@cobalt.antimatter.net> X-Sender: lists@cobalt.antimatter.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Fri, 30 Jul 2004 00:10:48 -0700 To: stable@freebsd.org From: Glenn Dawson In-Reply-To: <6.1.0.6.2.20040729234631.04717bc8@cobalt.antimatter.net> References: <6.1.0.6.2.20040729234631.04717bc8@cobalt.antimatter.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: clarification regarding netgraph and ipfw X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jul 2004 07:11:32 -0000 oops s/ng_netgraph/ng_netflow/g -Glenn At 11:59 PM 7/29/2004, Glenn Dawson wrote: >Greetings, > >I have a firewall running -STABLE. I'm using ipfw2 for filtering and >ng_netgraph (via ng_tee) to export netflow data. > >According to the man page for ng_ether, the lower hook gets raw ethernet >frames as they come off the wire. Reading the man page for ipfw it seems >to say that if I turn on net.link.ether.ipfw in sysctl that it will also >get things as they come off the wire. > >So my question is, which one gets them first? > >The reason I ask is that if I have an ipfw rule to block traffic from an >IP, will it get counted by ng_netgraph? Or will ipfw drop the packet >before it even gets to ng_ether? > >If the packets go through ng_ether first and then through ipfw, does >anyone know if it's possible to reverse that behavior? I'm doing billing >based on traffic and don't want the netflow data to include packets that >were dropped by ipfw. > >Thanks in advance for any insight. > >-Glenn > >_______________________________________________ >freebsd-stable@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-stable >To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"