I'm using dummynet/ipfw for Linux on Ubuntu 14.04. I am trying to setup a netfilter POSTROUTING hook that will be evaluated after packets pass through dummynet. The POSTROUTING hook is set to have a lower priority than dummynet, so I would imagine that it would be evaluated after dummynet reinjects the packet into netfilter.
I don't have any problems when I don't configure any dummynet rules (IPFW seems to be reinjecting the packet the way I'd expect). Once I add any delays, bandwidth constraints, or packet loss, then the packets never reach the POSTROUTING hook. In digging into the dummynet source to figure out what's going on, I realized that dummynet is reinjecting the packets into netfilter with the NF_STOP flag <https://github.com/luigirizzo/dummynet/blob/e717cdd4bef764a4aa7babedc54220b35b04c777/kipfw/ipfw2_mod.c#L624>. As a result, it seems that the rest of the netfilter hooks registered with POSTROUTING are not being evaluated for this packet. If I change the flag to NF_ACCEPT, then the rest of the POSTROUTING hooks are evaluated as I expected. What is the reason to use NF_STOP over NF_ACCEPT in this particular case? Is there any downside to replacing it with NF_ACCEPT for my use case or is there a more elegant way. For reference, NF_STOP *used* to be defined as NF_ACCEPT in older kernel versions <https://github.com/luigirizzo/dummynet/blob/e717cdd4bef764a4aa7babedc54220b35b04c777/kipfw/ipfw2_mod.c#L424> . Any insight would be greatly appreciated! Thanks, Jonathan _________________________________ Jonathan Suever, PhD Magnetic Resonance Research Center Department of Biomedical Engineering/Bioengineering, Georgia Institute of Technology _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
