Date: Tue, 03 Feb 2015 02:13:38 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: John Nielsen <lists@jnielsen.net> Cc: freebsd-net@freebsd.org Subject: Re: Does "setfib" in ipfw forces to re-route packet? Message-ID: <54D004A2.4010203@FreeBSD.org> In-Reply-To: <65FDDA6C-5910-4FBC-B43B-73BB72526AA5@jnielsen.net> References: <54CEA776.1040505@FreeBSD.org> <65FDDA6C-5910-4FBC-B43B-73BB72526AA5@jnielsen.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03.02.2015 01:54, John Nielsen wrote: > AFAIK, ipfw's setfib can only be usefully applied to incoming > packets (before a routing decision is made) that are passing > through (and not destined for) the FreeBSD machine as a router. Nope! > For locally-originated traffic you need to either start your > application(s) using setfib(1) to begin with or use ipfw fwd rules > to redirect the traffic (which essentially ignores the original > routing decision). Be warned that FreeBSD 10.0 had a bug which > broke ipfw fwd (see the errata). Problem is, sometimes you want to change routing decision in out way even on router machine. For example, after "nat global", it you don't want to use "fwd" actions (because it has static IP to use encoded to rule, which doesn't look good!). And looks like, it is possible. Please, look at sys/netinet/ip_output.c, lines 493-535. It checks, did packet filter change (a) destination address or (b) FIB, and if it does, it re-run routing decision. So, it will work "as expected" and only documentation need fix :) - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJU0ASiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePTH8QAN2I1IynNr/yx2WzLXmIcr3Z 5dNVHqZ3kv6Bavh4hYtodyka03I7W6Cjt5SYQIapLxVeJJUK7bgHcxLzCO4Oq5zM zoZ5NAKH618B43UiVTf2o8MjiPDkUnDwRThDBw9ZkRADrw/8w3y1BgRXV1n47F/n IthJbRnHSMhAVQQQwGggcb+8BLUJacFzkmLvvzRJfSP4P2sHlOC45yYJWBuE784/ EovXt70tqVE0z1u06EU9n+JRjVNDTnrjzZeh1wMvcoQGjGS3iD0oSsn6y+wNPSrC 6MPTpVzWtTAzaC/Rh7l2XHJYPIdm5vmsiYzBtPR+jp1mYOWRcpA/HuVNazN1+oWI 6RWrjkcg+Ep53lUGuh91UqbbN677WkjxFcK/ru70jBQuoLT9fV2HMSiOnUZ8bDsx SQsqH+DNNHSbjp/YTwvR21/Q31MUURpG172GKWsu0OYf9vnOhTSnzAqI066R2BGa PCn5vsBcJYjPnTNxQeLZxMmBGQ8p6fwyjtJW05Dlgv5uYuoNct9BFAJzj5D1FFzg sT544DQWlrVceK+5E9z9INP5WMNdsZ+bn09uXDugxWNzqUW656G+0Pz2xUnHZF9M uoQCpF+UQIPdFXddSH/mxr/KK4M7E3RRKoCcd70Vahc4mD9gOvv/KN9oXmJiFWnn 8mCyp+bwjlf22b+6noVc =1Ynq -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54D004A2.4010203>