Date: Thu, 10 Mar 2016 14:25:59 -0800 (PST) From: Don Lewis <truckman@FreeBSD.org> To: julian@freebsd.org Cc: fjwcash@gmail.com, freebsd-ipfw@freebsd.org Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules Message-ID: <201603102226.u2AMPxEe016166@gw.catspoiler.org> In-Reply-To: <56E1D7F3.5040101@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10 Mar, Julian Elischer wrote: > On 9/03/2016 1:00 PM, Don Lewis wrote: >> On 9 Mar, Don Lewis wrote: >>> On 9 Mar, Don Lewis wrote: >>>> On 9 Mar, Freddie Cash wrote: >>>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >>>> Aha, I've got it set to 1. >>>> >>>>> If set to 1, the a dummynet match ends the trip through the rules, >>>>> and the packet never gets to the NAT rules. Or, if a NAT rule >>>>> matches, the trip through the rules ends, and it never get to the >>>>>dummynet rules. Depending on which you have first. >>>> Dummynet is first. >>>> >>>>> You'll need to set net.inet.ip.fw.one_pass?=0 in order to >>>>> re-inject the packet into the rules after it matches a dummynet or >>>>> NAT rule. Or, do the NAT and dummynet rules on different >>>>>interfaces to match different traffic. How do I prevent the >>>>>re-injected packets from being sent back into >>>> dummynet? My NAT rule looks like it could have the same problem, >>>>but that looks fixable. >>> I just read the fine man page and is says that after re-injection >>> the packet starts with the next rule ... cool! > > actually it doesn't... it starts at the next rule NUMBER which may be > a different thing. Well, I'm using a tweaked copy of /etc/rc.firewall which doesn't specify rule numbers, so the rules are automatically numbered in steps of 100 according to the order in which they are listed in the file.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603102226.u2AMPxEe016166>