packet order, ipf or ipfw
Dinesh Nair
dinesh at alphaque.com
Fri Jul 30 04:30:00 PDT 2004
On Thu, 29 Jul 2004, Jeremie Le Hen wrote:
> Hello Charlie,
>
> > I'm running ipf because I like it ...but now I need to use ipfw's pipe
> > feature. I was thinking that I could just run both, and keep all my
> > rules in ipf, then in ipfw: limit bandwidth for a few vlans, then allow all.
> >
> > It didn't work (no rate-limiting happened).. and I'm thinking that ipf
> > is passing the packets and bypassing ipfw? Or something..
> >
> > So, what is the order, if I'm running ipf AND ipfw at the same time?
> > Will it work at all in this manner?
>
> But you should be warned that using ipnat(8) in conjunction to ipfw
> pipes may lead to an incorrect behaviour :
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685
in addition, http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/46564
reverses the order in which ipfw/ipfilter/ipnat processes packets in
ip_output.c to make it consistent if both are used.
by default the flow is:
wire -> ipnat -> ipfilter -> ipfw -> kernel -> ipfilter -> ipnat ->ipfw
the patch in the above PR changes it to:
wire -> ipnat -> ipfilter -> ipfw -> kernel -> ipfw -> ipfilter -> ipnat
personally, i prefer the patch to ip_output as it makes it cleaner when
you're separating between using ipfw/dummynet for shaping and
ipfilter/ipnat for firewalling.
Regards, /\_/\ "All dogs go to heaven."
dinesh at alphaque.com (0 0) http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do |
| for b in clients employers associates relatives neighbours pets; do |
| echo "The opinions here in no way reflect the opinions of my $a $b." |
| done; done |
+=========================================================================+
More information about the freebsd-net
mailing list