On 05/21/15 at 02:05P, hiren panchasara wrote: > On 05/21/15 at 12:42P, hiren panchasara wrote: > > Getting back to this now to see if I can avoid ipfw on outgoing packets. > > > > @@ -500,7 +507,7 @@ ipfw_hook(int onoff, int pf) > > hook_func = (pf == AF_LINK) ? ipfw_check_frame : ipfw_check_packet; > > > > (void) (onoff ? pfil_add_hook : pfil_remove_hook) > > - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); > > + (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh); > > > > return 0; > > } > > > > Should this do the right thing? I'll report back once I test this patch. > > I am still seeing ipfw_chk() getting called in my iperf test. Now, if I > also remove PFIL_IN, i.e if I do: > - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); > + (hook_func, NULL, PFIL_WAITOK, pfh); > > I don't see ipfw_chk() getting triggered. > > Somehow incoming traffic is affecting the outgoing traffic?
It seems I screwed up something in testing and the following does seem to do the right thing: - (hook_func, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); + (hook_func, NULL, PFIL_IN | PFIL_WAITOK, pfh); I confirmed this with pmcstat callgraphs that ipfw_chk() is not getting called in OUT direction. Any thoughts on this? Is this something that can be upstreamed with a sysctl knob if there is interest? cheers, Hiren
pgpT9snE38H30.pgp
Description: PGP signature
