On Thu, Sep 23, 2004 at 09:10:49AM -0600, Nathan Kinkade wrote:
> On Thu, Sep 23, 2004 at 01:36:57PM +0545, Bikrant Neupane wrote:
> > Thanks for the reply.
> > Well I am not looking for the count rule.
> > 
> > Actually I have some other situation. I am trying to implement b/w shaping 
> > using ipfw. And i am trying to include mac address based filtering in it as 
> > well. As long as I don't implement ipfw in ether (net.link.ether.ipfw=0/1) 
> > pkts hit the rule only once and I get the b/w as specified in the IPFW pipe 
> > syntax. However when I enable ipfw in ether all the pkts hits the matching 
> > rule twice. and as a result I get half of the b/w to what has been specified 
> > in ipfw pipe.
> > This is normal (as mentiontioned in ipfw man page) since pkt traversal is  
> > doubled when IPFW is enabed in ether. 
> > 
> <snip>
> Would the following sysctl variable help your problem?
> From the ipfw manpage:
> net.inet.ip.fw.one_pass: 1
>       When set, the packet exiting from the dummynet(4) pipe is not passed
>       though the firewall again.  Otherwise, after a pipe action, the packet
>       is reinjected into the firewall at the next rule.

No this only works for pipes and queues. Not for allow / deny. 
There only solution I know of is to plave denies before the allows.


Articles based on solutions that I use:
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to