From owner-freebsd-current@FreeBSD.ORG Fri Jan 16 19:37:52 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E27FA106566B; Fri, 16 Jan 2009 19:37:52 +0000 (UTC) (envelope-from prvs=julian=26000d075@elischer.org) Received: from smtp-outbound.ironport.com (smtp-outbound.ironport.com [63.251.108.112]) by mx1.freebsd.org (Postfix) with ESMTP id B2F9F8FC0C; Fri, 16 Jan 2009 19:37:52 +0000 (UTC) (envelope-from prvs=julian=26000d075@elischer.org) Received: from unknown (HELO julian-mac.elischer.org) ([10.251.60.21]) by smtp-outbound.ironport.com with ESMTP; 16 Jan 2009 11:09:27 -0800 Message-ID: <4970DB6C.4030200@elischer.org> Date: Fri, 16 Jan 2009 11:09:32 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Eduardo Meyer References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: current@freebsd.org, net@freebsd.org Subject: Re: Multiple Routing Tables (FIB) + IPFW problem as (I?) expected X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2009 19:37:53 -0000 Eduardo Meyer wrote: > Hello, > > I am trying the new FIB stuff on -STABLE with IPFW, I made many tests > and it did not work as I expected. > > Quick testing: > > # lynx -dump http://www.whatismyip.org > 200.165.75.10 > > # setfib -1 lynx -dump http://www.whatismyip.org > 189.52.141.2 > > # setfib -2 lynx -dump http://www.whatismyip.org > 201.91.92.154 > so you have 3 tables with different default routes? > # ipfw -q flush > # ipfw add 1 setfib 1 all from any to any > 00001 setfib 1 ip from any to any > > # lynx -dump http://www.whatismyip.org > 200.165.75.10 > > Check for counters: > > # ipfw -q add 2 allow all from any to any fib 1 > # ipfw show obviously you did some other commands here.. something generated 2 million packets.. > 00001 388599 139653215 setfib 1 ip from any to any > 00002 4253 2221474 allow ip from any to any fib 1 > 65535 2419650 983279227 allow ip from any to any > > # lynx -dump http://www.whatismyip.org > 200.165.75.10 > > # setfib -1 lynx -dump http://www.whatismyip.org > 189.52.141.2 > > Is anything wrong with my concepts? I would like to know if -CURRENT > has the same behavior, can someone please test? this is expected.. setfib in the firewall can only change the fib on an outgoing packet AFTER it has already done its routing decision. setfib in ipfw is basically for packets that you are ROUTING, (i.e. you are a gateway) and is expected to be run in INCOMING packets before they make their routing decision.. I was thinking of adding a 'reroute' ipfw keyword.. kind of like 'fwd {original dest} ip from any to any' because 'fwd' does cause the routing decision to be redone. The fib of the process that opens the socket controls where packets from the local machine are sent.