Update documentation to match the behaviour of ipfw with respect

to net.inet.ip.fw.one_pass. Add to notes to explain the exact behaviour of "prob xxx" and "log" options. Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c)
svn path=/head/; revision=107288
2002-11-26 19:51:40 +00:00 · 2002-11-26 19:51:40 +00:00 · 99652d0eb2 · 2020-12-20 02:59:44 +00:00
commit 99652d0eb2
parent f2ec255a33
1 changed files with 6 additions and 4 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -463,6 +463,9 @@ random packet drop or
 .Xr dummynet 4 )
 to simulate the effect of multiple paths leading to out-of-order
 packet delivery.
+.Pp
+Note: this condition is checked before any other condition, including
+ones such as keep-state or check-state which might have side effects.
 .It Cm log Op Cm logamount Ar number
 When a packet matches a rule with the
 .Cm log
@ -492,6 +495,9 @@ clearing the logging counter or the packet counter for that entry, see the
 .Cm resetlog
 command.
 .Pp
+Note: logging is done after all other packet matching conditions
+have been successfully verified, and before performing the final
+action (accept, deny, etc.) on the packet.
 .El
 .Ss RULE ACTIONS
 A rule can be associated with one of the following actions, which
@ -1604,10 +1610,6 @@ When set, the packet exiting from the
 pipe is not passed though the firewall again.
 Otherwise, after a pipe action, the packet is
 reinjected into the firewall at the next rule.
-.Pp
-Note: bridged and layer 2 packets coming out of a pipe
-are never reinjected in the firewall irrespective of the
-value of this variable.
 .It Em net.inet.ip.fw.verbose : No 1
 Enables verbose messages.
 .It Em net.inet.ip.fw.verbose_limit : No 0