Date: Tue, 6 May 2003 14:10:17 -0700 (PDT) From: Johan Karlsson <johan@freebsd.org> To: ipfw@FreeBSD.org Subject: Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Message-ID: <200305062110.h46LAHjf075948@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/46564; it has been noted by GNATS. From: Johan Karlsson <johan@freebsd.org> To: Bug followup <bug-followup@freebsd.org> Cc: Subject: Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Date: Tue, 6 May 2003 23:09:41 +0200 Adding to the audit-trail. ----- Forwarded message from Pawel Malachowski <pawmal@unia.3lo.lublin.pl> ----- From: "Pawel Malachowski" <pawmal@unia.3lo.lublin.pl> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Date: Tue, 06 May 2003 22:47:21 +0200 Hello, Here is some example: (private IPs)LAN---(fxp1)BOX(fxp0)---Internet There are: . dummynet running on fxp0 . ipnat running on fxp0 Right now outgoing packets on fxp0 go through ipnat and then through dummynet. It is not possible to shape this traffic on per-user basis (for example with src-ip mask) cause after ipnatting all packets have the same source IP. Possible sollutions are: . use dummynet on fxp0 This is not so good idea if I have a huge number of local NICs and subnets cause I have to make exceptions (ipfw skip) for local traffic. It is very easy and natural to use dummynet on fxp0 interface for bandwith limitaion of `Internet' traffic. . use natd instead of ipnat Sucessfully tested, but I simply prefer ipnat. :) So, probably packets flow should be: incoming: IPFilter -> IPFW outgoing: IPFW -> IPFilter This code is `for private use' and is quite bad but does that (4.8): http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff I know submitter tried something similar on his own, too. However, allowing user to decide about order (using sysctls?) would be the best solution. regards, -- Pawel Malachowski ----- End forwarded message ----- -- Johan Karlsson mailto:johan@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305062110.h46LAHjf075948>