Rule action "queue" also causes search to terminate, yes?

Rodney W. Grimes freebsd-rwg at pdx.rh.CN85.dnsmgr.net
Mon Dec 18 20:18:09 UTC 2017 

-- Start of PGP signed section.
> The ipfw(8) man page explicitly states that rule actions:
> 
> * allow | accept | pass | permit
> * deny | drop
> * divert
> * reset | reset6
> * unreach | unreach6
> * abort | abort6
> 
> cause "search terminat[ion]".
> 
> 
> The description for "queue," however, is:
> 
>      queue queue_nr
>              Pass packet to a dummynet ``queue'' (for bandwidth limitation
>              using WF2Q+).
> 
> 
> In particular, there is no statement that "The search terminates" (as
> there is for the above-cited rule actions).
> 
> My (admittedly quick) reading of the code suggests that for the "queue"
> rule action, the search does, in fact, terminate.  This also seems to be
> borne out by empirical evidence (now that I have a "queue" rule in my
> active set of rules on my laptop):
> 
> ...
> 04300  1086    92998 skipto 60000 udp from 192.168.23.119 to any dst-port 53 keep-state :default
> 04400     0        0 deny log udp from any to any dst-port 123 iplen 0-75
> 04500   155    11780 skipto 60000 udp from 192.168.23.119 to any dst-port 123 keep-state :default
> 04600     0        0 skipto 60000 udp from any 123 to 255.255.255.255 dst-port 123 keep-state :default
> 04700     0        0 skipto 60000 udp from 192.168.23.119 to any keep-state :default
> 04800     0        0 deny log ip from any to any
> 60000 35471 18109017 allow ip from any to any in
> 60100 32582  5110013 queue 1 ip from any to any out
> 65535     1      340 deny ip from any to any
> 
> 
> So:
> * Is my reading of the code -- that "queue" (also) casues the search to
>   terminate) correct?
> 
> * If so, is a change to the ipfw(8) page (to state that explicitly)
>   warranted?  (As someone who was recently trying to figure some of this
>   stuff out, I believe that such a statement -- if it is true! -- would
>   have been helpful for me.)

I believe that the behavior of a queue is that of a pipe, and the
"termination" condition is dependent on net.inet.ip.fw.one_pass.

You are correct though the manual page does not document this for
a queue.  At least any place I could find.


-- 
Rod Grimes                                                 rgrimes at freebsd.org

More information about the freebsd-ipfw mailing list