subject:"Re\: ipwf dummynet vs. kernel NAT and firewall rules"

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Don Lewis

On 11 Mar, Ian Smith wrote: > On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > > > On 9 Mar, Don Lewis wrote: > > > > >> On 9 Mar,

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Ian Smith

On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > >> On 9 Mar, Don Lewis wrote: > > > >>> On 9 Mar,

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Don Lewis

On 10 Mar, Julian Elischer wrote: > On 9/03/2016 9:32 AM, Don Lewis wrote: >> I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this >> patch: , but I'm >> running into a problem that I think is caused by an interaction between >>

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Don Lewis

On 10 Mar, Julian Elischer wrote: > On 9/03/2016 1:00 PM, Don Lewis wrote: >> On 9 Mar, Don Lewis wrote: >>> On 9 Mar, Don Lewis wrote: On 9 Mar, Freddie Cash wrote: > ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? Aha, I've got it set to 1. > If set to 1,

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Julian Elischer

On 10/03/2016 11:35 AM, Mark Felder wrote: On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > >> On 9 Mar, Don Lewis wrote: > >>> On 9 Mar, Freddie Cash wrote: >

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Julian Elischer

On 9/03/2016 10:53 PM, Ian Smith wrote: On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > >> On 9 Mar, Don Lewis wrote: > >>> On 9 Mar, Freddie Cash wrote: > > ?Do you have the sysctl net.inet.ip.fw.one_pass

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Julian Elischer

On 9/03/2016 9:32 AM, Don Lewis wrote: I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this patch: , but I'm running into a problem that I think is caused by an interaction between in-kernel NAT and dummynet. I've set up two

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Julian Elischer

On 9/03/2016 1:00 PM, Don Lewis wrote: On 9 Mar, Don Lewis wrote: On 9 Mar, Don Lewis wrote: On 9 Mar, Freddie Cash wrote: ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? Aha, I've got it set to 1. If set to 1, the a dummynet match ends the trip through the rules, and the

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-10 Thread Mark Felder

On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > >> On 9 Mar, Don Lewis wrote: > > >>> On 9 Mar, Freddie Cash wrote: > > > > ?Do you have the sysctl net.i

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Ian Smith

On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > >> On 9 Mar, Don Lewis wrote: > >>> On 9 Mar, Freddie Cash wrote: > > ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > >>> > >>> Aha, I've got it

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Don Lewis

On 9 Mar, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: >> On 9 Mar, Don Lewis wrote: >>> On 9 Mar, Freddie Cash wrote: > ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >>> >>> Aha, I've got it set to 1. >>> If set to 1, the a dummynet match ends the trip thro

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Don Lewis

On 9 Mar, Michael Sierchio wrote: > Rules will only match if all components match. So you seem to understand > that packets will be seen twice - once IN, once OUT. If you write > > in recv EXT_IP > out xmit EXT_IP > > the rule actions won't get executed twice on packets. That's what I'm using

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Don Lewis

On 9 Mar, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: >> On 9 Mar, Freddie Cash wrote: >>> >>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >> >> Aha, I've got it set to 1. >> >>> If set to 1, the a dummynet match ends the trip through the rules, and the >>> packet never

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Michael Sierchio

Rules will only match if all components match. So you seem to understand that packets will be seen twice - once IN, once OUT. If you write in recv EXT_IP out xmit EXT_IP the rule actions won't get executed twice on packets. On Wed, Mar 9, 2016 at 11:20 AM, Don Lewis wrote: > On 9 Mar, Fredd

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Don Lewis

On 9 Mar, Don Lewis wrote: > On 9 Mar, Freddie Cash wrote: >> On Wed, Mar 9, 2016 at 10:09 AM, Don Lewis wrote: >> >>> On 9 Mar, Franco Fichtner wrote: >>> > Hi Don, >>> > >>> > If you mean pf(4)-based NAT, there is a patch that originates from >>> > m0n0wall that handles the transition. We'r

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Don Lewis

On 9 Mar, Freddie Cash wrote: > On Wed, Mar 9, 2016 at 10:09 AM, Don Lewis wrote: > >> On 9 Mar, Franco Fichtner wrote: >> > Hi Don, >> > >> > If you mean pf(4)-based NAT, there is a patch that originates from >> > m0n0wall that handles the transition. We're using it in OPNsense >> > for that

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Freddie Cash

On Wed, Mar 9, 2016 at 10:09 AM, Don Lewis wrote: > On 9 Mar, Franco Fichtner wrote: > > Hi Don, > > > > If you mean pf(4)-based NAT, there is a patch that originates from > > m0n0wall that handles the transition. We're using it in OPNsense > > for that reason. Here is the patch for 10.x, mayb

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Don Lewis

On 9 Mar, Franco Fichtner wrote: > Hi Don, > > If you mean pf(4)-based NAT, there is a patch that originates from > m0n0wall that handles the transition. We're using it in OPNsense > for that reason. Here is the patch for 10.x, maybe that is what > you're looking for: Nope, I'm using ipfw in-k

Re: ipwf dummynet vs. kernel NAT and firewall rules

2016-03-09 Thread Franco Fichtner

Hi Don, If you mean pf(4)-based NAT, there is a patch that originates from m0n0wall that handles the transition. We're using it in OPNsense for that reason. Here is the patch for 10.x, maybe that is what you're looking for: https://github.com/fichtner/freebsd/commit/975130903f.patch We would v

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

Re: ipwf dummynet vs. kernel NAT and firewall rules

19 matches

Site Navigation

Mail list logo

Footer information