ipfw on just inbound and not outbound
hiren panchasara
hiren at strugglingcoder.info
Sat May 23 00:58:36 UTC 2015
On 05/21/15 at 02:05P, hiren panchasara wrote:
> On 05/21/15 at 12:42P, hiren panchasara wrote:
> > Getting back to this now to see if I can avoid ipfw on outgoing packets.
> >
> > @@ -500,7 +507,7 @@ ipfw_hook(int onoff, int pf)
> > hook_func = (pf == AF_LINK) ? ipfw_check_frame : ipfw_check_packet;
> >
> > (void) (onoff ? pfil_add_hook : pfil_remove_hook)
> > - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh);
> > + (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh);
> >
> > return 0;
> > }
> >
> > Should this do the right thing? I'll report back once I test this patch.
>
> I am still seeing ipfw_chk() getting called in my iperf test. Now, if I
> also remove PFIL_IN, i.e if I do:
> - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh);
> + (hook_func, NULL, PFIL_WAITOK, pfh);
>
> I don't see ipfw_chk() getting triggered.
>
> Somehow incoming traffic is affecting the outgoing traffic?
It seems I screwed up something in testing and the following does seem to do the
right thing:
- (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh);
+ (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh);
I confirmed this with pmcstat callgraphs that ipfw_chk() is not getting
called in OUT direction.
Any thoughts on this? Is this something that can be upstreamed with a
sysctl knob if there is interest?
cheers,
Hiren
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20150522/e4ac348e/attachment.sig>
More information about the freebsd-ipfw
mailing list