clarification regarding netgraph and ipfw
From: Glenn Dawson (glenn_at_antimatter.net)
Date: 07/30/04
- Previous message: Brian Buchanan: "Re: nullfs in 4.10"
- Next in thread: Glenn Dawson: "Re: clarification regarding netgraph and ipfw"
- Reply: Glenn Dawson: "Re: clarification regarding netgraph and ipfw"
- Reply: Alexander Vasenin aka BlackSir: "RE: clarification regarding netgraph and ipfw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 29 Jul 2004 23:59:44 -0700 To: stable@freebsd.org
Greetings,
I have a firewall running -STABLE. I'm using ipfw2 for filtering and
ng_netgraph (via ng_tee) to export netflow data.
According to the man page for ng_ether, the lower hook gets raw ethernet
frames as they come off the wire. Reading the man page for ipfw it seems
to say that if I turn on net.link.ether.ipfw in sysctl that it will also
get things as they come off the wire.
So my question is, which one gets them first?
The reason I ask is that if I have an ipfw rule to block traffic from an
IP, will it get counted by ng_netgraph? Or will ipfw drop the packet
before it even gets to ng_ether?
If the packets go through ng_ether first and then through ipfw, does anyone
know if it's possible to reverse that behavior? I'm doing billing based on
traffic and don't want the netflow data to include packets that were
dropped by ipfw.
Thanks in advance for any insight.
-Glenn
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
- Previous message: Brian Buchanan: "Re: nullfs in 4.10"
- Next in thread: Glenn Dawson: "Re: clarification regarding netgraph and ipfw"
- Reply: Glenn Dawson: "Re: clarification regarding netgraph and ipfw"
- Reply: Alexander Vasenin aka BlackSir: "RE: clarification regarding netgraph and ipfw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
