From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 14:10:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 385A537B401 for ; Tue, 6 May 2003 14:10:18 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0CC543F85 for ; Tue, 6 May 2003 14:10:17 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46LAHUp075949 for ; Tue, 6 May 2003 14:10:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46LAHjf075948; Tue, 6 May 2003 14:10:17 -0700 (PDT) Date: Tue, 6 May 2003 14:10:17 -0700 (PDT) Message-Id: <200305062110.h46LAHjf075948@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Johan Karlsson Subject: Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Johan Karlsson List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 21:10:18 -0000 The following reply was made to PR kern/46564; it has been noted by GNATS. From: Johan Karlsson To: Bug followup Cc: Subject: Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Date: Tue, 6 May 2003 23:09:41 +0200 Adding to the audit-trail. ----- Forwarded message from Pawel Malachowski ----- From: "Pawel Malachowski" To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Date: Tue, 06 May 2003 22:47:21 +0200 Hello, Here is some example: (private IPs)LAN---(fxp1)BOX(fxp0)---Internet There are: . dummynet running on fxp0 . ipnat running on fxp0 Right now outgoing packets on fxp0 go through ipnat and then through dummynet. It is not possible to shape this traffic on per-user basis (for example with src-ip mask) cause after ipnatting all packets have the same source IP. Possible sollutions are: . use dummynet on fxp0 This is not so good idea if I have a huge number of local NICs and subnets cause I have to make exceptions (ipfw skip) for local traffic. It is very easy and natural to use dummynet on fxp0 interface for bandwith limitaion of `Internet' traffic. . use natd instead of ipnat Sucessfully tested, but I simply prefer ipnat. :) So, probably packets flow should be: incoming: IPFilter -> IPFW outgoing: IPFW -> IPFilter This code is `for private use' and is quite bad but does that (4.8): http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff I know submitter tried something similar on his own, too. However, allowing user to decide about order (using sysctls?) would be the best solution. regards, -- Pawel Malachowski ----- End forwarded message ----- -- Johan Karlsson mailto:johan@FreeBSD.org