Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible>

[Johan Karlsson]

The following reply was made to PR kern/46564; it has been noted by GNATS.

From: Johan Karlsson <johan at freebsd.org>
To: Bug followup <bug-followup at freebsd.org>
Cc:  
Subject: Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible>
Date: Tue, 6 May 2003 23:09:41 +0200

 Adding to the audit-trail.
 
 ----- Forwarded message from Pawel Malachowski <pawmal at unia.3lo.lublin.pl> -----
 
 From: "Pawel Malachowski" <pawmal at unia.3lo.lublin.pl>
 To: johan at FreeBSD.org, freebsd-bugs at FreeBSD.org, ipfw at FreeBSD.org
 Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible>
 Date: 	Tue, 06 May 2003 22:47:21 +0200
 
 Hello,
 
 	Here is some example:
 
 (private IPs)LAN---(fxp1)BOX(fxp0)---Internet
 
 There are:
 . dummynet running on fxp0
 . ipnat running on fxp0
 
 Right now outgoing packets on fxp0 go through ipnat and then through
 dummynet. It is not possible to shape this traffic on per-user
 basis (for example with src-ip mask) cause after ipnatting all packets
 have the same source IP. Possible sollutions are:
 . use dummynet on fxp0
 	This is not so good idea if I have a huge number of
 	local NICs and subnets cause I have to make exceptions
 	(ipfw skip) for local traffic.
 	It is very easy and natural to use dummynet on fxp0
 	interface for bandwith limitaion of `Internet' traffic.
 . use natd instead of ipnat
 	Sucessfully tested, but I simply prefer ipnat. :)
 
 So, probably packets flow should be:
 	incoming: IPFilter -> IPFW
 	outgoing: IPFW -> IPFilter
 
 This code is `for private use' and is quite bad but does that (4.8):
 http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff
 
 I know submitter tried something similar on his own, too.
 
 However, allowing user to decide about order (using sysctls?) would
 be the best solution.
 
 
 regards,
 -- 
 Pawel Malachowski
 
 ----- End forwarded message -----
 
 -- 
 Johan Karlsson		mailto:johan at FreeBSD.org