Evaluating POSTROUTING hooks on packets after they leave dummynet
Jonathan Suever
suever at gatech.edu
Tue Nov 14 17:49:36 UTC 2017
I'm using dummynet/ipfw for Linux on Ubuntu 14.04. I am trying to setup a
netfilter POSTROUTING hook that will be evaluated after packets pass
through dummynet. The POSTROUTING hook is set to have a lower priority than
dummynet, so I would imagine that it would be evaluated after dummynet
reinjects the packet into netfilter.
I don't have any problems when I don't configure any dummynet rules (IPFW
seems to be reinjecting the packet the way I'd expect). Once I add any
delays, bandwidth constraints, or packet loss, then the packets never reach
the POSTROUTING hook.
In digging into the dummynet source to figure out what's going on, I
realized that dummynet is reinjecting the packets into netfilter with the
NF_STOP flag
<https://github.com/luigirizzo/dummynet/blob/e717cdd4bef764a4aa7babedc54220b35b04c777/kipfw/ipfw2_mod.c#L624>.
As a result, it seems that the rest of the netfilter hooks registered with
POSTROUTING are not being evaluated for this packet. If I change the flag
to NF_ACCEPT, then the rest of the POSTROUTING hooks are evaluated as I
expected.
What is the reason to use NF_STOP over NF_ACCEPT in this particular case?
Is there any downside to replacing it with NF_ACCEPT for my use case or is
there a more elegant way.
For reference, NF_STOP *used* to be defined as NF_ACCEPT in older kernel
versions
<https://github.com/luigirizzo/dummynet/blob/e717cdd4bef764a4aa7babedc54220b35b04c777/kipfw/ipfw2_mod.c#L424>
.
Any insight would be greatly appreciated!
Thanks,
Jonathan
_________________________________
Jonathan Suever, PhD
Magnetic Resonance Research Center
Department of Biomedical Engineering/Bioengineering, Georgia Institute of
Technology
More information about the freebsd-ipfw
mailing list