IPFW transparent VS dummynet rules
budsz
budiyt at gmail.com
Sun Jan 8 10:50:29 UTC 2012
On Sun, Jan 8, 2012 at 1:00 PM, Ian Smith <smithi at nimnet.asn.au> wrote:
> On Sat, 7 Jan 2012, budsz wrote:
> [..]
> > > keyword instead of an explicit address. The search terminates if
> > > this rule matches.
> > >
> > > Note particularly the last sentence. You'll have to do your dummynet
> > > piping first, if it is to apply also to forwarded packets.
> > >
> > > (sysctl)
> > > net.inet.ip.fw.one_pass: 1
> > > When set, the packet exiting from the dummynet pipe or from
> > > ng_ipfw(4) node is not passed though the firewall again. Other-
> > > wise, after an action, the packet is reinjected into the firewall
> > > at the next rule.
> > >
> > > It seems that you may have one_pass set to 1. Set to 0, packets will
> > > continue through the ruleset on exit from pipe/s, so to your fwd rule.
> > >
> > > cheers, Ian
> >
> > Thank you very much, lazy to read ipfw(8) :)
> >
> > pipe pipe_nr
> > Pass packet to a dummynet ``pipe'' (for bandwidth limitation,
> > delay, etc.). See the TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
> > Section for further information. The search terminates; however,
> > on exit from the pipe and if the sysctl(8) variable
> > net.inet.ip.fw.one_pass is not set, the packet is passed again to
> > the firewall code starting from the next rule.
> >
> >
> > --
> > budsz
>
> No problem. However it's considered good form to also copy responses
> cc'd back to the two lists this thread appears on, for the archives.
>
> Not that I need the credit, but it shows that the advice was useful, and
> that other list members need not also respond, thinking it unresolved.
>
> cheers, Ian
OK,thank you for reminding me :)
TIA
--
budsz
More information about the freebsd-ipfw
mailing list