clarification regarding netgraph and ipfw

From: Glenn Dawson (glenn_at_antimatter.net)
Date: 07/30/04

  • Next message: Glenn Dawson: "Re: clarification regarding netgraph and ipfw" 
    Date: Thu, 29 Jul 2004 23:59:44 -0700
To: stable@freebsd.org

    Greetings,

    I have a firewall running -STABLE. I'm using ipfw2 for filtering and
    ng_netgraph (via ng_tee) to export netflow data.

    According to the man page for ng_ether, the lower hook gets raw ethernet
    frames as they come off the wire. Reading the man page for ipfw it seems
    to say that if I turn on net.link.ether.ipfw in sysctl that it will also
    get things as they come off the wire.

    So my question is, which one gets them first?

    The reason I ask is that if I have an ipfw rule to block traffic from an
    IP, will it get counted by ng_netgraph? Or will ipfw drop the packet
    before it even gets to ng_ether?

    If the packets go through ng_ether first and then through ipfw, does anyone
    know if it's possible to reverse that behavior? I'm doing billing based on
    traffic and don't want the netflow data to include packets that were
    dropped by ipfw.

    Thanks in advance for any insight.

    -Glenn

    _______________________________________________
    freebsd-stable@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-stable
    To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

  • Next message: Glenn Dawson: "Re: clarification regarding netgraph and ipfw"

    Relevant Pages