On 10 Mar, Julian Elischer wrote: > On 9/03/2016 1:00 PM, Don Lewis wrote: >> On 9 Mar, Don Lewis wrote: >>> On 9 Mar, Don Lewis wrote: >>>> On 9 Mar, Freddie Cash wrote: >>>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >>>> Aha, I've got it set to 1. >>>> >>>>> If set to 1, the a dummynet match ends the trip through the rules, >>>>> and the packet never gets to the NAT rules. Or, if a NAT rule >>>>> matches, the trip through the rules ends, and it never get to the >>>>>dummynet rules. Depending on which you have first. >>>> Dummynet is first. >>>> >>>>> You'll need to set net.inet.ip.fw.one_pass?=0 in order to >>>>> re-inject the packet into the rules after it matches a dummynet or >>>>> NAT rule. Or, do the NAT and dummynet rules on different >>>>>interfaces to match different traffic. How do I prevent the >>>>>re-injected packets from being sent back into >>>> dummynet? My NAT rule looks like it could have the same problem, >>>>but that looks fixable. >>> I just read the fine man page and is says that after re-injection >>> the packet starts with the next rule ... cool! > > actually it doesn't... it starts at the next rule NUMBER which may be > a different thing.
Well, I'm using a tweaked copy of /etc/rc.firewall which doesn't specify rule numbers, so the rules are automatically numbered in steps of 100 according to the order in which they are listed in the file. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
