ipwf dummynet vs. kernel NAT and firewall rules
Don Lewis
truckman at FreeBSD.org
Wed Mar 9 21:03:51 UTC 2016
On 9 Mar, Michael Sierchio wrote:
> Rules will only match if all components match. So you seem to understand
> that packets will be seen twice - once IN, once OUT. If you write
>
> in recv EXT_IP
> out xmit EXT_IP
>
> the rule actions won't get executed twice on packets.
That's what I'm using for the dummynet rules. My concert was if the
re-injected packets were checked by all the rules starting from the top,
in which case out xmit would match both entering and leaving dummynet.
Since the implementation is smart enough to start checking where it
previously left off, then that's not an issue.
More information about the freebsd-ipfw
mailing list