From 99652d0eb2bb3de68d755e6bfddb80bd99bd7003 Mon Sep 17 00:00:00 2001 From: Luigi Rizzo Date: Tue, 26 Nov 2002 19:51:40 +0000 Subject: [PATCH] Update documentation to match the behaviour of ipfw with respect to net.inet.ip.fw.one_pass. Add to notes to explain the exact behaviour of "prob xxx" and "log" options. Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c) --- sbin/ipfw/ipfw.8 | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 48c59611d874..7fb82725ede4 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -463,6 +463,9 @@ random packet drop or .Xr dummynet 4 ) to simulate the effect of multiple paths leading to out-of-order packet delivery. +.Pp +Note: this condition is checked before any other condition, including +ones such as keep-state or check-state which might have side effects. .It Cm log Op Cm logamount Ar number When a packet matches a rule with the .Cm log @@ -492,6 +495,9 @@ clearing the logging counter or the packet counter for that entry, see the .Cm resetlog command. .Pp +Note: logging is done after all other packet matching conditions +have been successfully verified, and before performing the final +action (accept, deny, etc.) on the packet. .El .Ss RULE ACTIONS A rule can be associated with one of the following actions, which @@ -1604,10 +1610,6 @@ When set, the packet exiting from the pipe is not passed though the firewall again. Otherwise, after a pipe action, the packet is reinjected into the firewall at the next rule. -.Pp -Note: bridged and layer 2 packets coming out of a pipe -are never reinjected in the firewall irrespective of the -value of this variable. .It Em net.inet.ip.fw.verbose : No 1 Enables verbose messages. .It Em net.inet.ip.fw.verbose_limit : No 0