Lines Matching +full:echo +full:- +full:active +full:- +full:ms
8 in-kernel NAT.\&
19 .Op Ar rule | first-last ...
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
174 .Cm internal monitor Op Ar filter-comment
185 .Ar preproc-flags
197 in-kernel NAT services.
212 in rule-number order
235 .Cm keep-state ,
236 .Cm record-state ,
239 .Cm set-limit
245 i.e., rules that match packets with the same 5-tuple
250 .Cm check-state ,
251 .Cm keep-state
254 rule, and are typically used to open the firewall on-demand to
257 .Cm keep-state
261 .Cm check-state
263 .Cm record-state
265 .Cm set-limit
267 .Cm check-state .
316 .Bl -tag -width indent
463 A packet is checked against the active ruleset in multiple places
467 .Bd -literal -offset indent
470 +----------->-----------+
477 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
520 .Bd -literal -offset indent
558 Keywords are case-sensitive, whereas arguments may
559 or may not be case-sensitive depending on their nature
562 Some arguments (e.g., port or address lists) are comma-separated
569 .Bd -literal -offset indent
570 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
571 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
572 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
576 .Bd -ragged -offset indent
577 .Bk -words
595 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
612 Fragmentation, Hop-by-Hop options,
614 .It IPv6 Flow-ID
637 .Bl -tag -width indent
654 non-default rule number by the value of the sysctl variable
659 non-default value is used instead.
686 to simulate the effect of multiple paths leading to out-of-order
691 .Cm keep-state
693 .Cm check-state
700 Unless per-rule log destination is specified by
711 .Bd -literal -offset indent
719 .Bd -literal -offset indent
742 Once the limit is reached, logging can be re-enabled by
754 is a comma-separated list of log destinations for logging
757 .Bl -tag -width indent
782 .Bd -ragged -offset indent
800 and to start doing policy-based filtering.
842 keyword, a 32-bit numeric mark is assigned to the packet.
882 .Cm check-state
884 .Cm keep-state
910 .Bl -tag -width indent
914 .It Cm check-state Op Ar :flowname | Cm :any
920 .Cm Check-state
923 .Cm check-state
925 .Cm keep-state
932 .Cm keep-state
953 Change the next-hop on matching packets to
1012 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address
1017 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
1019 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)\&
1122 command-line utility currently requires every action except
1123 .Cm check-state
1132 .Bd -literal -offset indent
1137 ipfw -c list
1155 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1156 .Cm isolated , net-prohib , host-prohib , tosnet ,
1157 .Cm toshost , filter-prohib , host-precedence
1159 .Cm precedence-cutoff .
1174 .Cm no-route, admin-prohib, address
1265 .It Cm tcp-setmss Ar mss
1277 .Cm tcp-setmss
1303 Alternatively, direction-based (like
1307 ) and source-based (like
1312 .Bd -literal -offset indent
1343 .Pq Em or-blocks
1365 .Bd -ragged -offset indent
1381 .Bl -tag -width indent
1383 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1388 .Bl -tag -width indent
1411 .Em or-block )
1420 .Em ( or-block
1426 .Ar | addr-list | addr-set
1428 .Bl -tag -width indent
1440 If an optional 32-bit unsigned
1457 .It Ar addr-list : ip-addr Ns Op , Ns Ar addr-list
1458 .It Ar ip-addr :
1460 .Bl -tag -width indent
1461 .It Ar numeric-ip | hostname
1462 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1482 This form is advised only for non-contiguous
1487 error-prone.
1489 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1490 .It Ar list : Bro Ar num | num-num Brc Ns Op , Ns Ar list
1512 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1513 or 1.2.3.0/24{128,35-55,89}
1517 .It Ar addr6-list : ip6-addr Ns Op , Ns Ar addr6-list
1518 .It Ar ip6-addr :
1520 .Bl -tag -width indent
1521 .It Ar numeric-ip | hostname
1548 This form is advised only for non-contiguous
1553 error-prone.
1574 .Em or-block
1582 .Pq Ql -
1587 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1589 Fragmented packets which have a non-zero offset (i.e., not the first
1599 Zero or more of these so-called
1604 .Em or-blocks .
1607 .Bl -tag -width indent
1611 You can have comment-only rules, which are listed as having a
1617 .It Cm defer-immediate-action | defer-action
1621 .Cm record-state
1623 .Cm keep-state
1627 .Cm record-state
1629 .Cm defer-immediate-action
1636 .It Cm diverted-loopback
1639 .It Cm diverted-output
1642 .It Cm dst-ip Ar ip-address
1645 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1648 .It Cm dst-port Ar ports
1660 Hop-to-hop options
1690 .It Cm flow-id Ar labels
1695 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1702 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1723 .Pq Dv non-zero fragment offset .
1728 Empty list of options defaults to matching on non-zero fragment offset.
1750 echo reply
1758 echo request
1764 time-to-live exceeded
1795 .It Cm ipid Ar id-list
1799 .Ar id-list ,
1803 .It Cm iplen Ar len-list
1806 .Ar len-list ,
1880 .It Cm ipttl Ar ttl-list
1882 .Ar ttl-list ,
1889 .It Cm keep-state Op Ar :flowname
1902 .Cm check-state
1914 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1922 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1937 .It Cm { MAC | mac } Ar dst-mac src-mac
1939 .Ar dst-mac
1941 .Ar src-mac
1948 .Bl -enum -width indent
1973 .It Cm mac-type Ar mac-type
1976 .Ar mac-type
1979 (i.e., one or more comma-separated single values or ranges).
1984 .Cm -N
1988 .It Cm record-state
1990 .Cm keep-state
1993 .Cm check-state
1995 .Cm keep-state .
2055 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2059 .Cm check-state
2068 to a non-zero value.
2077 .It Cm src-ip Ar ip-address
2080 .It Cm src-ip6 Ar ip6-address
2083 .It Cm src-port Ar ports
2086 .It Cm tagged Ar tag-list
2088 .Ar tag-list ,
2116 .It Cm tcpdatalen Ar tcpdatalen-list
2118 .Ar tcpdatalen-list ,
2142 a non-zero offset.
2146 .It Cm tcpmss Ar tcpmss-list
2148 .Ar tcpmss-list ,
2156 .It Cm tcpwin Ar tcpwin-list
2158 .Ar tcpwin-list ,
2201 .Dl ip verify unicast reverse-path
2203 This option can be used to make anti-spoofing rules to reject all
2218 .Dl ip verify unicast source reachable-via any
2220 This option can be used to make anti-spoofing rules to reject all
2232 This option can be used to make anti-spoofing rules to reject all
2245 .Ar table-name .
2260 .Bl -tag -width indent
2261 .It Ar table-type : Ar addr | iface | number | flow | mac
2262 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2263 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2264 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2285 Each entry is represented by 32-bit unsigned integer.
2312 .Bl -tag -width indent
2313 .It Ar create-options : Ar create-option | create-options
2314 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2315 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2328 .It Cm or-flush
2339 .Bl -tag -width indent
2340 .It Ar modify-options : Ar modify-option | modify-options
2341 .It Ar modify-option : Cm limit Ar number
2367 However, non-zero error code is returned in that case.
2372 to indicate all-or-none add request.
2379 However, non-zero error code is returned in that case.
2382 .Ar table-key
2385 .Ar table-key
2394 .Bl -tag -width indent
2402 Shows generic table information and algo-specific data.
2406 .Bl -tag -width indent
2407 .It Ar algo-desc : algo-name | "algo-name algo-data"
2408 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2416 Separate auto-growing hashes for IPv4 and IPv6.
2423 Mostly optimized for /64 and byte-ranged IPv6 masks.
2430 Auto-growing hash storing flow entries.
2446 .Ar value-mask .
2451 .Bl -tag -width indent
2452 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2453 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2520 .Bd -ragged -offset indent
2535 .Bd -ragged -offset indent
2537 will still be active until they expire.
2544 .Bd -ragged -offset indent
2548 .Cm to Ar new-set
2552 .Bd -ragged -offset indent
2554 .Cm set swap Ar first-set second-set
2566 .Cm check-state , keep-state , record-state , limit
2568 .Cm set-limit
2573 .Cm keep-state ,
2574 .Cm record-state ,
2577 .Cm set-limit
2584 .Em src-ip/src-port dst-ip/dst-port
2592 .Cm keep-state
2598 .Cm check-state, keep-state
2612 .Dl "ipfw add check-state :OUTBOUND"
2613 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2620 .Dl "ipfw add check-state :OUTBOUND"
2621 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2654 .Bl -hang -offset XXXX
2673 are first grouped into flows according to a mask on the 5-tuple.
2693 .Bd -literal -offset indent
2695 +---------+ weight Wx +-------------+
2696 | |->-[flow]-->--| |-+
2697 -->--| QUEUE x | ... | | |
2698 | |->-[flow]-->--| SCHEDuler N | |
2699 +---------+ | | |
2700 ... | +--[LINK N]-->--
2701 +---------+ weight Wy | | +--[LINK N]-->--
2702 | |->-[flow]-->--| | |
2703 -->--| QUEUE y | ... | | |
2704 | |->-[flow]-->--| | |
2705 +---------+ +-------------+ |
2706 +-------------+
2716 value of the packet's 5-tuple after applying SCHED_MASK.
2717 As an example, using ``src-ip 0xffffff00'' creates one instance
2723 ``src-ip 0x000000ff''
2768 variable to a non-zero value.
2776 .Bd -ragged -offset indent
2777 .Cm pipe Ar number Cm config Ar pipe-configuration
2779 .Cm queue Ar number Cm config Ar queue-configuration
2781 .Cm sched Ar number Cm config Ar sched-configuration
2786 .Bl -tag -width indent -compact
2810 .It Cm delay Ar ms-delay
2813 (typically 10ms, but it is a good practice to run kernels
2817 the granularity to 1ms or less).
2853 .Bd -literal -offset indent
2857 L +-- loss-level x
2864 +-------*------------------->
2876 .Bl -tag -width indent
2884 .It Cm loss-level Ar L
2907 .Bd -literal -offset indent
2910 loss-level 0.86
2912 0 200 # minimum overhead is 200ms
2924 .Bl -tag -width indent -compact
2935 The following case-insensitive parameters can be configured for a
2938 .Bl -tag -width indent -compact
2941 .Bl -tag -width indent -compact
2945 FIFO has O(1) per-packet time complexity, with very low
2946 constants (estimate 60-80ns on a 2GHz desktop machine)
2954 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2959 costs (roughly, 100-150ns per packet)
2965 costs (roughly, 200-250ns per packet).
2967 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2968 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2969 (old sub-queues and new sub-queues) for providing brief periods of priority to
2971 By default, the total number of sub-queues is 1024.
2972 FQ-CoDel's internal, dynamically
2973 created sub-queues are controlled by separate instances of CoDel AQM.
2975 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2977 but uses per sub-queue PIE AQM instance to control the queue delay.
2993 .Bl -tag -width indent
3011 specifies the total number of flow queues (sub-queues) that fq_*
3013 By default, 1024 sub-queues are created when an instance
3036 .Bl -tag -width XXXX -compact
3037 .It Cm buckets Ar hash-table-size
3046 .It Cm mask Ar mask-specifier
3072 .Cm dst-ip Ar mask ,
3073 .Cm dst-ip6 Ar mask ,
3074 .Cm src-ip Ar mask ,
3075 .Cm src-ip6 Ar mask ,
3076 .Cm dst-port Ar mask ,
3077 .Cm src-port Ar mask ,
3078 .Cm flow-id Ar mask ,
3096 .It Cm plr Ar packet-loss-rate
3100 .Ar packet-loss-rate
3101 is a floating-point number between 0 and 1, with 0 meaning no
3104 When invoked with four arguments, the simple Gilbert-Elliott
3106 .Bd -literal -offset indent
3108 .----------------.
3110 .------------. .------------.
3113 '------------' '------------'
3115 '----------------'
3128 K = 1 - k ; H = 1 - h
3131 quick re-use of loss probability when giving only a single argument.
3149 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3184 .Bl -tag -width indent
3198 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3200 is interpreted as milliseconds by default but seconds (s), milliseconds (ms) or
3206 (5ms by default) is the minimum acceptable persistent queue delay that CoDel
3215 (100ms default) before dropping.
3221 ECN-enabled TCP flows when queue delay becomes high.
3247 en-queue process, with the aim of achieving high throughput while keeping queue
3252 (15ms by default) a background process (re)calculates the probability based on
3256 (15ms by default) and queue delay trends.
3261 is interpreted as milliseconds by default but seconds (s), milliseconds (ms) or
3264 .Bl -tag -width indent
3277 150ms is the
3285 enable or disable ECN marking for ECN-enabled TCP flows.
3291 enable or disable drop probability de-randomisation.
3292 De-randomisation eliminates
3294 De-randomisation is enabled by default.
3329 Information necessary to route link-local packets to an
3333 Care should be taken to ensure that link-local packets are not passed to
3338 .Bl -bullet
3349 use an auto-recovery script such as the one in
3355 .Bl -bullet
3374 reported as being dropped by rule -1.
3382 .Bd -literal -offset indent
3388 .Bd -literal -offset indent
3412 support in-kernel NAT using the kernel version of
3421 .Bd -ragged -offset indent
3422 .Bk -words
3426 .Ar nat-configuration
3431 .Bl -tag -width indent
3458 .It Cm port_range Ar lower-upper
3462 When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
3474 When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
3480 by port forwarding on the NAT, or tunnelling through an in-between server.
3486 .Bl -tag -width indent
3528 .Bd -ragged -offset indent
3529 .Bk -words
3535 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3541 configuration can be done in real-time through the
3554 supports in-kernel IPv6/IPv4 network address and protocol translation.
3555 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3558 among several IPv6-only clients.
3598 .Bd -ragged -offset indent
3599 .Bk -words
3603 .Ar create-options
3608 .Bl -tag -width indent
3618 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3623 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3693 .It Cm -log
3699 .It Cm -allow_private
3706 .Bd -ragged -offset indent
3707 .Bk -words
3718 it can be configured to pass IPv4 clients to IPv6-only servers.
3721 .Bd -ragged -offset indent
3722 .Bk -words
3726 .Ar create-options
3731 .Bl -tag -width indent
3733 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3748 .It Cm -log
3754 .It Cm -allow_private
3765 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3768 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3771 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3772 over IPv6-only networks with help of remote NAT64 translator.
3775 .Bd -ragged -offset indent
3776 .Bk -words
3780 .Ar create-options
3785 .Bl -tag -width indent
3787 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3790 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3797 .It Cm -log
3805 .It Cm -allow_private
3815 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3817 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3826 .Bd -ragged -offset indent
3827 .Bk -words
3831 .Ar create-options
3836 .Bl -tag -width indent
3874 .Bl -tag -width indent
3904 .Bl -tag -width indent
3908 responds to receipt of global OOTB ASCONF-AddIP:
3909 .Bl -tag -width indent
3911 No response (unless a partially matching association exists -
3934 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3938 and is not an INIT or ASCONF-AddIP packet:
3939 .Bl -tag -width indent
3960 multi-homed local hosts to function with the
3964 ASCONF-AddIP.
3989 SHUTDOWN-COMPLETE.
3993 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3999 will only be an INIT or ASCONF-AddIP packet.
4008 Level of detail in the system log messages (0 \- minimal, 1 \- event,
4009 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
4013 Timeout value while waiting for SHUTDOWN-COMPLETE.
4020 .Bl -tag -width indent
4061 Defines the default total number of flow queues (sub-queues) that
4102 Defines the default total number of flow queues (sub-queues) that
4147 If set to a non-zero value,
4221 Delta between rule numbers when auto-generating them.
4230 The default rule number (read-only).
4243 (read-only).
4246 .Cm keep-state
4306 .Bl -tag -width indent
4331 sub-options:
4332 .Bl -tag -width indent
4336 with their in-kernel status.
4337 .It Cm monitor Op Ar filter-comment
4343 .Ar filter-comment
4386 of the address sets and or-blocks and write extremely
4398 going out to vlans 100-1000:
4401 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4405 option could be used to do automated anti-spoofing by adding the
4418 option could be used to do similar but more restricted anti-spoofing
4492 .Dl "ipfw add check-state"
4494 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4501 .Cm check-state ,
4502 .Cm keep-state
4507 .Cm check-state
4513 .Cm record-state
4515 .Cm defer-action
4524 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4525 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4533 stateful rules can be subject to denial-of-service attacks
4534 by a SYN-flood which opens a huge number of dynamic rules.
4544 .Dl ipfw -at list
4548 .Dl ipfw -a list
4603 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4617 Procedure Calls, and where the round-trip-time of the
4623 .Dl "dnctl pipe 1 config delay 250ms bw 1Mbit/s"
4624 .Dl "dnctl pipe 2 config delay 250ms bw 1Mbit/s"
4626 Per-flow queueing can be useful for a variety of purposes.
4646 on a net with per-host limits, rather than per-network limits:
4650 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4651 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4681 In the following example per-interface firewall is created:
4696 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4716 .Dl "ipfw set enable 18; echo done; sleep 30 && ipfw set disable 18"
4718 Here if everything goes well, you press control-C before the "sleep"
4719 terminates, and your ruleset will be left active.
4730 .Dl "ipfw -S set 18 show"
4769 .Bd -literal -offset 2n
4780 .Bd -literal -offset 2n
4792 .Cm record-state
4794 .Cm defer-action
4799 .Cm keep-state
4811 .Dl "ipfw add allow record-state defer-action"
4817 .Dl "ipfw add check-state"
4825 .Cm check-state
4827 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4855 .Dl "dnctl queue 1 config pipe 1 codel target 8ms interval 160ms ecn"
4876 .Dl "dnctl queue 1 config pipe 1 pie target 20ms tupdate 30ms ecn"
4902 to 10ms, we do:
4904 .Dl "dnctl sched 1 config pipe 1 type fq_codel target 10ms noecn"
4957 .An Poul-Henning Kamp ,
4961 .An Rasool Al-Saadi .
4963 .An -nosplit
4968 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4970 Some early work (1999-2000) on the
4980 .An -nosplit
4981 In-kernel NAT support written by
4997 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
5001 Rasool Al-Saadi.
5032 Dummynet drops all packets with IPv6 link-local addresses.