On Mon, Jan 11, 2010 at 03:27:13AM +0900, Hajimu UMEMOTO wrote:
> Hi,
>
> > On Sat, 2 Jan 2010 20:36:45 -0500
> > David Horn said:
>
> > dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the
> > default
> > dhorn2000> rc.firewall flow.
> >
> > Here is my proposed p
On Thu, Dec 17, 2009 at 12:31:32PM -0500, David Horn wrote:
> Luigi --
>
> I am seeing a kldload failure for ipfw.ko after the latest -current commits
> (fails for r200580 - r200633 inclusive) for ipfw:
>
> link_elf_obj: symbol ipfw_dyn_attach undefined
not surprising, as i forgot to put the new
Hi,
I would like to discuss some new features that I am going to add to ipfw.
1. A new option "lookup T[,V]" where
search-key ::= {src-ip|dst-ip|src-port|dst-port|proto|jail|...}
This extends the existing '{dst-ip|src-ip} table(T[,V])' options,
and allows a lookup of other packet fields
Hi,
in the next weeks i am going to slowly push into -head (and when
possible also in RELENG_8) several restructuring and cleanup changes
in dummynet and ipfw. This is the result of work we have been doing
in Pisa in the last few months with Riccardo Panicucci and Marta
Carbone.
I am trying to or
Hi,
there is no bug, the 'pipe profile' code is working correctly.
In your mail below you are comparing two different things.
"pipe config bw 10Mbit/s delay 25ms"
means that _after shaping_ at 10Mbps, all traffic will
be subject to an additional delay of 25ms.
Each pack
On Thu, Oct 08, 2009 at 12:54:52AM +0200, Luigi Rizzo wrote:
> On Wed, Oct 07, 2009 at 12:46:24PM -0700, Joe R wrote:
> > We at ironport have a requirement to do bandwidth management, but the
> > traffic classification (and selection of bandwidth pipes) is done in
> >
On Wed, Oct 07, 2009 at 12:46:24PM -0700, Joe R wrote:
> We at ironport have a requirement to do bandwidth management, but the
> traffic classification (and selection of bandwidth pipes) is done in
> userspace. The reason classification is done in userspace is because the
> traffic classifications
On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote:
> It's seems fine, but I still have some questions:
> 1. The endpoint will response to the keepalive TCP segment and the
> destination will be the other endpoint, will IPFW just let it though
> like the usual IP packet, or try to figure it
On Sat, Sep 12, 2009 at 03:05:51PM +0800, Cypher Wu wrote:
> 1. How many rules configured.
> 2. The general traffic supported.
> 3. Hardware platform.
> ...
>
> I'm thinking to port IPFW to another platform which can support up to
> 10GbE traffic bidirectional and running in user node, any adv
On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote:
> I want to build a transparent firewall based on IPFW. For static rules
> this is fine, but for dynamic rules, ipfw uses keepalive packet to
> avoid deleting a dynamic rule that both ends are still alive but don't
> issue any traffic for a
On Wed, Sep 09, 2009 at 11:17:50PM -0700, mkarjal wrote:
>
> Hi,
>
> I'm trying to catch SCTP packets with IPFW by SCTP port numbers, should it
> be working or not?
> Or is there some different syntax for this?
>
> "ipfw add count sctp from any to any" works, counts all SCTP packets.
>
> "ipfw
With Marta Carbone we have recently completed a port to Linux of
ipfw and dummynet, and we also took the chance to put online some
updated picobsd images for FreeBSD.
Code, papers and binary modules are available at
http://info.iet.unipi.it/~luigi/dummynet/
cheers
luigi
_
On Thu, May 21, 2009 at 08:49:30AM -0700, Freddie Cash wrote:
> On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo wrote:
> > On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote:
> >> can ipfw use somehow interface groups as pf(4) can?
> >> From a quick glance at docum
On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote:
> Hello,
>
> can ipfw use somehow interface groups as pf(4) can?
> >From a quick glance at documentation and not so through look at code
> it does not but i am sending this just if i missed something during my
> search!
something like
On Thu, Apr 02, 2009 at 01:00:59PM +0200, Paolo Pisati wrote:
> Luigi Rizzo wrote:
> >
> >Ok then we may have a plan:
> >
> >you could do is implement REASS as an action (not as a microinstruction),
> >with the following behaviour:
> >
> >- if the pa
On Fri, Mar 20, 2009 at 04:53:26PM +0100, Sebastian Mellmann wrote:
> Hi!
>
>
> I'm using pipe masks for defining multiple queues per traffic flow, e.g.
>
> $cmd pipe 100 config mask all bw $webclient_upload_bandwidth queue
> $queue_size delay $client_rtt_delay
> $cmd pipe 200 config mask all b
On Wed, Mar 18, 2009 at 08:52:18AM -0700, Julian Elischer wrote:
> Luigi Rizzo wrote:
> >On Tue, Mar 17, 2009 at 03:39:45PM -0700, Julian Elischer wrote:
> >...
> >>>Ok then we may have a plan:
> >>>
> >>>you could do is implement REASS as a
On Tue, Mar 17, 2009 at 03:39:45PM -0700, Julian Elischer wrote:
...
> >Ok then we may have a plan:
> >
> >you could do is implement REASS as an action (not as a microinstruction),
> >with the following behaviour:
> >
> >- if the packet is a complete one, the rule behaves as a "count"
> > (i.e. th
On Tue, Mar 17, 2009 at 11:02:48PM +0100, Paolo Pisati wrote:
> Luigi Rizzo wrote:
> >
> >Thinking more about it, i believe that calling reass as an explicit
> >firewall action is useless, because if ip_reass fails due to lack of
> >all fragments you are back to squar
On Tue, Mar 17, 2009 at 03:54:42PM +0100, Paolo Pisati wrote:
> Alex Dupre wrote:
> >Luigi Rizzo ha scritto:
> >>it is not related to dynamic rules, but to the fact that
> >>that the firewall is called before reassembling packets.
> >>The info (port numbers esp
On Sun, Mar 15, 2009 at 12:38:37PM +0300, Sergey Matveychuk wrote:
> Dmitriy Demidov wrote:
> >Hi Luigi. Thank you for answer.
> >It is a big "surprise" for me that reassembling of IP datagrams is done
> >not *before* they go into firewall, but *after* :(
>
> But what's wrong with it? A fragment
On Fri, Mar 13, 2009 at 10:46:48PM +0200, Dmitriy Demidov wrote:
> Hi list.
>
> I'm using DNS cache server Unbound-1.2.1. I want to start using DNSSEC via
> DLV (unbound gracefully allows it).
> My system is FreeBSD7-STABLE. I'm using ipfw.
>
> Original ipfw configuration:
> add check-state
> ad
On Fri, Mar 06, 2009 at 08:06:50AM +0100, Sebastian Mellmann wrote:
>
> >> Secondly, apropos Sebastian's experience, should this say "The value
> >> (even if 0) is rounded to the next multiple of the clock tick .." ?
> >> ^^^
> >
> > 0 is rounded to 0 so that's not an issue.
> > The delay
On Fri, Mar 06, 2009 at 04:23:29PM +1100, Ian Smith wrote:
...
> Which led me to take my own medicine and reread the dummynet sections in
> ipfw(8) at 7.1-RELEASE:
>
> delay ms-delay
> Propagation delay, measured in milliseconds. The value is
> rounded to the next multiple of the clo
On Wed, Mar 04, 2009 at 08:17:05PM +0100, Sebastian Mellmann wrote:
> Hi everyone!
>
> I hope this is the right place to ask.
>
> I've got a IPFW ruleset that looks like this:
>
> cmd=ipfw
> bottleneck_bandwidth=100Mbit/s
> in_if="em0"
>
> $cmd pipe 500 config bw $bottleneck_bandwidth
> $cmd ad
On Wed, Mar 04, 2009 at 10:05:53PM +0100, Sebastian Mellmann wrote:
>
> > On Wed, Mar 04, 2009 at 08:17:05PM +0100, Sebastian Mellmann wrote:
> >
> >> Hi everyone!
> >>
> >> I hope this is the right place to ask.
> >>
> >> I've got a IPFW ruleset that looks like this:
> >>
> >> cmd=ipfw
> >> bo
On Wed, Aug 20, 2008 at 04:06:05AM +1000, Ian Smith wrote:
> On Tue, 19 Aug 2008, Luigi Rizzo wrote:
> > On Tue, Aug 19, 2008 at 11:12:04PM +1000, Ian Smith wrote:
...
> > > Until $someone adds a direct skipto target jump at the virtual machine
> > > code level -
On Tue, Aug 19, 2008 at 11:12:04PM +1000, Ian Smith wrote:
> On Thu, 31 Jul 2008, Julian Elischer wrote:
...
> > ipfw add 1000 skipto tablearg ip from any to table(31)
...
> > see attached patch... (hopefully not stripped)
> >
> > Of course it is hoped that the rules you are skipping to are ne
On Tue, May 06, 2008 at 03:34:23PM -0400, Matthew Pope wrote:
> I must correct my test parameters: In one of the two pipes, the bw was
> 4K, not 48K as stated.
> When I just now moved it up to 48K to match the other pipe size, my ping
> times plummeted to 129-139ms throughout the Queue sizes lis
On Mon, Mar 03, 2008 at 11:17:19AM +0100, Paolo Pisati wrote:
> On Sun, Mar 02, 2008 at 03:58:50PM +0100, Luigi Rizzo wrote:
> >
> > The SI_ORDER_* definitions in /sys/sys/kernel.h are enumerated on a
> > large range, so if the existing code does not have races,
> >
On Sun, Mar 02, 2008 at 03:49:39PM +0100, Paolo Pisati wrote:
> Hi,
>
> i just found out that depending on a KLD doesn't imply any
> initialization order, thus depending on a lock initialized in the ipfw
> init path is _really_ a bad idea from another KLD init path (see
> ip_fw_nat.c::ipfw_nat_ini
On Tue, Sep 04, 2007 at 12:50:36AM +0700, Vadim Goncharov wrote:
> 03.09.07 @ 23:48 Andrey V. Elsukov wrote:
>
> > I got a trace for this fault.
> > dummynet reinject packet to the ip_input through netisr_dispath.
> > This procedure was done success several times, but in the next time
> > it's fau
On Wed, Apr 18, 2007 at 02:52:43PM -0700, Julian Elischer wrote:
> Chuck Swiger wrote:
> > On Apr 18, 2007, at 1:58 PM, Julian Elischer wrote:
> >> I'm contemplating the following changes to functionality:
> >> I'd like suggestions and comments...
> >>
> >> 1/ Commit capability
> >> In this change
On Sat, Mar 31, 2007 at 11:47:12AM +0100, Max Laier wrote:
> On Saturday 31 March 2007 11:27, Luigi Rizzo wrote:
...
> See above, ipfw is working in parallel already. In addition to that,
> using a ref-count would be worse! Instead of two atomic operations you'd
> then hav
On Sat, Mar 31, 2007 at 10:21:02AM +0200, Andre Oppermann wrote:
> Julian Elischer wrote:
> > Luigi Rizzo wrote:
> >> On Fri, Mar 30, 2007 at 01:40:46PM -0700, Julian Elischer wrote:
> >>> I have been looking at the IPFW code recently, especially with
> >&g
On Fri, Mar 30, 2007 at 01:40:46PM -0700, Julian Elischer wrote:
> I have been looking at the IPFW code recently, especially
> with respect to locking.
> There are some things that could be done to improve IPFW's
> behaviour when processing packets, but some of these take a
> toll (there is alway
s basic networking stuff - for a window-based protocol
the max throughtput is 1 window per rtt, where the window is
upper bounded by the min of socket buffer, tcp buffers, negotiated
tcp window
luigi
> Thanks so much for the help - I know its going a bit off topic
>
> Dave
>
>
from me in Africa to America); but it doesn't hamper
> download speed?
>
> Thanks again
> Dave
>
>
>
> -Original Message-
> From: Luigi Rizzo [mailto:[EMAIL PROTECTED]
> Sent: Friday, March 30, 2007 9:59 AM
> To: Dave Raven
> Cc: freebsd-ipfw@freebsd.org
> Subj
On Fri, Mar 30, 2007 at 08:49:19AM +0200, Dave Raven wrote:
> Hi all,
> I've been looking at the ipfw (dummynet) ability to do delay and
> have a few questions - I hope this is the right list. I want to simulate a
> 1000ms RTT on a satellite link. To do that I've created an inbound and
> outb
On Sat, Mar 03, 2007 at 10:44:24AM -0300, AT Matik wrote:
> On Saturday 03 March 2007 07:56, Luigi Rizzo wrote:
> > If you can find a convincing motivation for adding this feature,
> > it can be done - it is not hard or inefficient, just don't see
> > how it could help.
On Sat, Mar 03, 2007 at 08:16:37PM +0800, John Mok wrote:
...
> Without hierarchical control, would it be possible to make a dummynet
> model for the example situation to work? If separate pipes are used to
> set the bandwidth limit :-
>
> ipfw pipe 110 config bw 16 Kbps
> ipfw pipe 120 config b
On Sat, Mar 03, 2007 at 09:50:43AM +0800, John Mok wrote:
> Hi,
>
> I am new to Dummynet. I would like to setup a FreeBSD QoS box to replace
> the one using Linux IMQ. However, I have the following questions :-
>
> 1. Is it possible to cascade pipes, such that the bandwidth management
> could b
On Wed, Dec 06, 2006 at 11:38:47AM +, David Malone wrote:
> On Wed, Dec 06, 2006 at 01:29:31AM -0800, Luigi Rizzo wrote:
> > the top forwarding performance of a soekris is around 30-35kpps if
> > i remember well - this translates in around 30us/packet all included.
>
>
On Wed, Dec 06, 2006 at 10:56:42AM +, David Malone wrote:
> On Wed, Dec 06, 2006 at 04:51:51AM +0100, Max Laier wrote:
> > I tried the reference machines (see hacked up attachment):
> > 78x ia64
> > 40x amd64
> > 60x p3
> > 16x p4
>
> > I don't have my Soekris set up, so if somebody could give
On Wed, Dec 06, 2006 at 04:51:51AM +0100, Max Laier wrote:
> On Wednesday 06 December 2006 01:17, Luigi Rizzo wrote:
...
> > First, this proposal, with 36 multiplies and one division, the
> > function seems rather expensive for e.g. a low end cpu (arm or
> > soekris) as you
On Tue, Dec 05, 2006 at 08:10:30PM +0100, Max Laier wrote:
> Hi,
>
> with a lot of help from David Malone and JINMEI Tatuya we came up with the
> following hash function for IPv6 connections using universal hashing.
I followed the discussion on the topic a few days (weeks ?)
ago and investigat
On Sat, Dec 02, 2006 at 09:00:13PM +0100, Max Laier wrote:
> On Saturday 02 December 2006 19:00, James Halstead wrote:
> > Ok, the "obvious" part that I think I was missing while it was late,
> > was that these must be keep-alive packets generated by the firewall as
> > the dynamic rules are about
On Fri, Aug 25, 2006 at 03:27:17PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > i am basically ok with this except, as i said, that there is
> > no point in replicating the interface name i.e. why re0-re5
> > instead of just re0-5 ? you just open up to possible mist
trimming the thing...
On Fri, Aug 25, 2006 at 01:41:03PM +0200, Ian FREISLICH wrote:
...
> > the problem i see above is that the 'delta' is really an attribute
> > of the 'vlanA-B' instruction.
> > Say you have this rule:
> >
> > skipto 1000 recv vlan1002-vlan1264
> >
> > does it mean 'skip
On Fri, Aug 25, 2006 at 11:59:14AM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Thu, Aug 24, 2006 at 02:32:04PM +0200, Ian FREISLICH wrote:
> > > skipto 1000 ip from any to any ifhash vlan[1000-1264] offset -1000 delta
> > > 100
> > >
> > >
On Thu, Aug 24, 2006 at 02:32:04PM +0200, Ian FREISLICH wrote:
> Ian FREISLICH wrote:
> > Luigi Rizzo wrote:
> > > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > > > You're thinking somewhere on the lines of:
> > > >
On Tue, Aug 15, 2006 at 03:21:32PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
...
> > another approach that was suggested long ago was to put, in
> > the interface definition, a starting ipfw rule number so
> > the ip_fw_chk() would start from there if available,
> &
On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
> > ...
> > > things. I can also give the ifp->if_index cache a go. Since I
> > > need to virualise the fire
On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
...
> things. I can also give the ifp->if_index cache a go. Since I
> need to virualise the firewall, I need a set of rules for each
> interface. I can't think of another way of sharing the firewall
> beween a few hundred customers t
On Mon, Jul 31, 2006 at 02:15:56PM +0200, Ian FREISLICH wrote:
> Hi
>
> I was wondering if anyone here had any ideas for improving the
> performance (packet rate) of ipfw.
>
> I have about 500 interfaces on my firewall and I need to match and
> filter packets on a per interface basis.
>
> I've f
On Fri, Jun 02, 2006 at 07:25:47AM +0200, Max Laier wrote:
> On Friday 02 June 2006 07:17, Max Laier wrote:
> > mlaier 2006-06-02 05:17:17 UTC
> >
> > FreeBSD src repository
> >
> > Modified files:
> > sbin/ipfwipfw2.c
> > Log:
> > Print dynamic rules for IPv6 as well.
On Fri, May 19, 2006 at 09:05:49PM +0300, vladone wrote:
> Know anybody if dummynet use an queuing discipline when congestion is
> anticipated, to alert the sender to slow down?
> Or a little explain about how to work dummynet?
dummynet can use FIFO or RED queueing disciplines,
see the 'ipfw' manp
On Fri, May 12, 2006 at 10:50:10PM +0700, Vadim Goncharov wrote:
> A question about features: is it worth adding functionality of matching
> range of tags? For example:
>
> ipfw add pass ip from any to any tagged 1-5,10,20
i think it is a useful feature, and if you reuse the existing code
for ma
On Fri, May 12, 2006 at 10:32:22AM -0300, Patrick Tracanelli wrote:
> Vadim Goncharov wrote:
> > Hi, All!
> >
> > I've tried Andrey Elsukov's ipfw "tag/tagged" patches from:
> > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/
> >
> > Tested on 5.5-PRERELEASE production server with moderate
On Thu, Mar 23, 2006 at 04:47:17PM +0200, Dmitry Pryanishnikov wrote:
...
> > For locally generated packets i admit 'recv any' may be of some use,
> > and this is unsupported. There are probably workaround such as 'src-ip me'
>
> Oops! How can one know that feature which is documented from the b
On Thu, Mar 23, 2006 at 02:03:20PM +0200, Dmitry Pryanishnikov wrote:
>
> Hello!
>
> I've found a serious regression during the IPFW1->2 transition. I'm using
> "recv any" construction to match transit packets only. Manpage ipfw(8) clearly
> says:
>
> recv | xmit | via {ifX | if* | ipno
On Tue, Feb 21, 2006 at 08:37:37AM -0800, Donald Baud wrote:
...
> > if you see just one line above your patch,
> > len_scaled is computed as
> >
> > int len_scaled = p->bandwidth ? len*8*hz : 0
> > ;
> >
> > so your '10' correspond (with HZ=1000) to an
> > actual burst
> > of 100 bit
On Tue, Feb 21, 2006 at 08:15:37AM -0800, Donald Baud wrote:
> > On Tue, Feb 21, 2006 at 06:57:10AM -0800, Donald
> > Baud wrote:
> > >
> > >
> > > --- Luigi Rizzo <[EMAIL PROTECTED]> wrote:
> > ...
> > > > of course you get the sa
On Tue, Feb 21, 2006 at 06:57:10AM -0800, Donald Baud wrote:
>
>
> --- Luigi Rizzo <[EMAIL PROTECTED]> wrote:
...
> > of course you get the same throughput!
> > the burst is just a constant in the time it takes to
> > transfer data,
> > and it is independen
On Tue, Feb 21, 2006 at 06:12:01AM -0800, Donald Baud wrote:
> Looking back in the mailing archives
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=62536+0+archive/2003/freebsd-ipfw/20030907.freebsd-ipfw
> , I found a message saying that it would be trivial to add burst support in
> dummynet.
> I
On Sun, Nov 20, 2005 at 07:40:01PM -0200, AT Matik wrote:
> On Sunday 20 November 2005 19:25, Luigi Rizzo wrote:
> > On Sun, Nov 20, 2005 at 07:16:40PM +0100, Alexandre DELAY wrote:
> > > Interresting. I didn't find anythong about that.
> > > Where can I l
manpage.
cheers
luigi
> Alex
>
>
> -----Message d'origine-
> De : Luigi Rizzo [mailto:[EMAIL PROTECTED]
> Envoye : dimanche 20 novembre 2005 19:10
> A : Alexandre DELAY
> Cc : freebsd-ipfw@freebsd.org
> Objet : Re: strange dummynet WFQ problem
>
>
>
ip from any to 172.20.1.23 in via ext
> > 21047 queue 9 ip from 172.20.1.23 to any in via int
> > 65535 allow ip from any to any
>
>
> Cheers
>
> Alex
>
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la pa
-0300, Patrick Tracanelli wrote:
> Luigi Rizzo wrote:
> > you are passing traffic through the pipe twice.
> > you have to decide if your rules should apply tto
> > layer2 or not and write the rules accordingly
>
> Why are they going twice through the pipe? When net.link
you are passing traffic through the pipe twice.
you have to decide if your rules should apply tto
layer2 or not and write the rules accordingly
luigi
On Mon, Oct 03, 2005 at 01:07:56PM -0300, Patrick Tracanelli wrote:
>
> Hello,
>
> I am doing some simple tests in a specific enviroment where la
On Tue, Sep 20, 2005 at 07:20:26PM +0300, vladone wrote:
> I know what is WF2Q, but still dont see what is the problem for wich
> dont't exist a possibility to limit bandwidth that is given to a
> queue, with queue settings.
it not implemented because there is an equivalently efficient
mechanism w
AM -0300, AT Matik wrote:
> On Wednesday 03 August 2005 06:11, Luigi Rizzo wrote:
>
> > there are internally generated packets which do not have
> > a rcvif (which is what really 'recv' means);
> > and any packet in the input path does not have an output-if
> &
On Tue, Aug 02, 2005 at 09:51:45PM -0300, AT Matik wrote:
...
> even if I agree to your logic aspect in general I thought
>
> out and xmit is probably exactly the same still especially as you set
> src-ip and dst-ip so the interface where this packages are xmit is
> defined by the routes
>
> l
ok, so the problem is the following: when i implemented ipfw2
i thought that 'recv any' or 'xmit any' were effectively NOPs
so the parser erroneously removes them, together with any 'not' prefix
(which is processed before).
To fix this one should
- patch the function ipfw2.c:fill_iface()
so that
you must put a non-zero bandwidth on the pipe otherwise there is no
scheduling (0 means infinite bandwidth).
Also these are weights not priorities - even if one of the
queues has a very low weight it will still get some
bandwidth proportional to its weight.
cheers
luigi
On Tue, Jul 26, 2005 at 09
On Thu, Jul 21, 2005 at 11:42:42PM +0200, Alex de Kruijff wrote:
> Hi,
>
> I was wrondering is man ipfw wrong here?
>
> man ipfw tells: divert port -
> Divert packets that match this rule to the divert(4) socket
> bound to port port. The search terminates.
...
> I think man ipfw s
On Mon, Jul 18, 2005 at 01:06:20PM +0200, Oliver Fromme wrote:
> Luigi Rizzo <[EMAIL PROTECTED]> wrote:
> > On Wed, Jul 13, 2005 at 05:57:53PM +0200, Oliver Fromme wrote:
> > ...
> > > # ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \}
>
On Wed, Jul 13, 2005 at 05:57:53PM +0200, Oliver Fromme wrote:
> Hi,
...
> # ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \}
> 04400 allow tcp from any to any in { recv fxp0 or out } xmit fxp0
surely the parser is not very robust and should complain :)
This said, the 'or' i
On Mon, Jul 18, 2005 at 06:34:56AM +, Walery Kokarev wrote:
> And why can't one use divert(4) interface? It looks quite suitable for
> that particular task.
no _that_ would really be a performance killer!
___
freebsd-ipfw@freebsd.org mailing list
ht
On Sat, Jul 16, 2005 at 05:40:32PM +0200, Max Laier wrote:
> On Saturday 16 July 2005 17:02, Chris Dionissopoulos wrote:
> > Hi ppl, ( and sorry for cross posting)
> >
> > I review Andrey's Elsukov patch for adding "bound" support in ipfw, and i
> > decide to push a little forward this feature.
>
hi,
when a pipe or queue has a mask of all 0's it only shows the addresses of
the first packet that matched, so you don't have to worry about that.
Also, if queues are linked to the pipe, the accounting is done on
the queues and not on the pipe.
cheers
luigi
On Wed, Jun 29, 2005 at 06:27:48PM +02
remember that ipfw2 lets you pass only those options you need
so something like
ipfw add deny proto udp ipv4
should work
On Fri, May 27, 2005 at 07:32:42PM +0200, Max Laier wrote:
> On Thursday 26 May 2005 13:21, Richard Tector wrote:
> > Max Laier wrote:
> > >With the patch attached yo
can you be more specific and provide configurations that exhibit the
problems you report ?
Also i assume you are using ipfw2 on 4.8 too...
cheers
luigi
On Mon, May 09, 2005 at 01:31:06PM +0200, Martin wrote:
> Dear all,
>
> Based on the amount of still outstanding (serious) bugs
without looking into the detail, for which 1) i don't have
time and 2) you haven't posted enough information (we'd need the
complete ruleset and counter values and interfaces you yse to be
sure what is going on), the use of "via" options is almost always
incorrect in ipfw configurations (due to bad
101 - 184 of 184 matches
Mail list logo
