From owner-freebsd-net@FreeBSD.ORG Mon Feb 2 22:55:16 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 68FCFBD6; Mon, 2 Feb 2015 22:55:16 +0000 (UTC) Received: from webmail2.jnielsen.net (webmail2.jnielsen.net [50.114.224.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "webmail2.jnielsen.net", Issuer "freebsdsolutions.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47C40C2; Mon, 2 Feb 2015 22:55:15 +0000 (UTC) Received: from [10.10.1.196] (office.betterlinux.com [199.58.199.60]) (authenticated bits=0) by webmail2.jnielsen.net (8.15.1/8.14.9) with ESMTPSA id t12MsrBC014646 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Feb 2015 15:54:56 -0700 (MST) (envelope-from lists@jnielsen.net) X-Authentication-Warning: webmail2.jnielsen.net: Host office.betterlinux.com [199.58.199.60] claimed to be [10.10.1.196] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: Does "setfib" in ipfw forces to re-route packet? From: John Nielsen In-Reply-To: <54CEA776.1040505@FreeBSD.org> Date: Mon, 2 Feb 2015 15:54:52 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <65FDDA6C-5910-4FBC-B43B-73BB72526AA5@jnielsen.net> References: <54CEA776.1040505@FreeBSD.org> To: lev@FreeBSD.org X-Mailer: Apple Mail (2.2070.6) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2015 22:55:16 -0000 On Feb 1, 2015, at 3:23 PM, Lev Serebryakov wrote: > "man 8 ipfw" doesn't state, that setting new fib on "out" packet > (whrn routing decision is done and output interface is known) change > routing decision: >=20 > ""The packet is tagged so as to use the FIB (routing table) fibnum in > any subsequent forwarding decisions."" >=20 > But according to ip_output.c (around line 527) "setfib" FORCES to > make NEW decision! >=20 > Do I read sources right? Maybe, wording in ipfw(8) should be changed? AFAIK, ipfw's setfib can only be usefully applied to incoming packets = (before a routing decision is made) that are passing through (and not = destined for) the FreeBSD machine as a router. For locally-originated traffic you need to either start your = application(s) using setfib(1) to begin with or use ipfw fwd rules to = redirect the traffic (which essentially ignores the original routing = decision). Be warned that FreeBSD 10.0 had a bug which broke ipfw fwd = (see the errata). I use the latter on a multi-homed non-router machine. $IP1/$CIDR1 is assigned to $IF1, and $GW1 is the default route for the = system (just one FIB). $IP2/$CIDR2 is assigned to $IF2, and I'd like = traffic originating from $IP2 to use $GW2 instead of $GW1. $LOCALTABLE = is an ipfw table containing directly-connected subnets (traffic for = which does not need to be routed). ipfw table $LOCALTABLE add $IP1/$CIDR1 ipfw table $LOCALTABLE add $IP2/$CIDR2 ipfw table $LOCALTABLE add 127.0.0.0/8 ... ipfw fwd $GW2 ip from $IP2 to not "table($LOCALTABLE)" out via $IF1 JN