nested ipfw dummynet pipes
Don Bowman
don at sandvine.com
Fri Jun 20 11:58:14 PDT 2003
From: 'Luigi Rizzo' [mailto:rizzo at icir.org]
> On Fri, Jun 20, 2003 at 02:18:17PM -0400, Don Bowman wrote:
> ...
> > Thanks very much, I will check this. I assume this will be true
> > for IPFW2 rather than IPFW.
>
> one_pass actually affect both.
> the comment in parentheses refers to "layer 2 firewalling
> which is an ipfw2-only fature (bridge firewalling
> is also available with ipfw1)
This works correctly, thanks very much. Attached is a trivial
patch to correct the man page.
Is there a benefit to having the single wide pipe first, or
the many narrow pipes first, in the ruleset?
$ cvs diff -U5 ipfw.8
Index: ipfw.8
===================================================================
RCS file: /usr/cvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.63.2.28
diff -U5 -r1.63.2.28 ipfw.8
--- ipfw.8 30 Sep 2002 20:57:05 -0000 1.63.2.28
+++ ipfw.8 20 Jun 2003 18:49:02 -0000
@@ -1587,14 +1587,10 @@
When set, the packet exiting from the
.Xr dummynet 4
pipe is not passed though the firewall again.
Otherwise, after a pipe action, the packet is
reinjected into the firewall at the next rule.
-.Pp
-Note: bridged and layer 2 packets coming out of a pipe
-are never reinjected in the firewall irrespective of the
-value of this variable.
.It Em net.inet.ip.fw.verbose : No 1
Enables verbose messages.
.It Em net.inet.ip.fw.verbose_limit : No 0
Limits the number of messages produced by a verbose firewall.
.It Em net.link.ether.ipfw : No 0
More information about the freebsd-net
mailing list