From owner-freebsd-net@FreeBSD.ORG Mon Feb 2 23:14:01 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 011A322D for ; Mon, 2 Feb 2015 23:14:00 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id B4E2334C for ; Mon, 2 Feb 2015 23:14:00 +0000 (UTC) Received: from [192.168.135.70] (unknown [94.19.235.70]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id D0EE55C002; Tue, 3 Feb 2015 02:13:12 +0300 (MSK) Message-ID: <54D004A2.4010203@FreeBSD.org> Date: Tue, 03 Feb 2015 02:13:38 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: John Nielsen Subject: Re: Does "setfib" in ipfw forces to re-route packet? References: <54CEA776.1040505@FreeBSD.org> <65FDDA6C-5910-4FBC-B43B-73BB72526AA5@jnielsen.net> In-Reply-To: <65FDDA6C-5910-4FBC-B43B-73BB72526AA5@jnielsen.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2015 23:14:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03.02.2015 01:54, John Nielsen wrote: > AFAIK, ipfw's setfib can only be usefully applied to incoming > packets (before a routing decision is made) that are passing > through (and not destined for) the FreeBSD machine as a router. Nope! > For locally-originated traffic you need to either start your > application(s) using setfib(1) to begin with or use ipfw fwd rules > to redirect the traffic (which essentially ignores the original > routing decision). Be warned that FreeBSD 10.0 had a bug which > broke ipfw fwd (see the errata). Problem is, sometimes you want to change routing decision in out way even on router machine. For example, after "nat global", it you don't want to use "fwd" actions (because it has static IP to use encoded to rule, which doesn't look good!). And looks like, it is possible. Please, look at sys/netinet/ip_output.c, lines 493-535. It checks, did packet filter change (a) destination address or (b) FIB, and if it does, it re-run routing decision. So, it will work "as expected" and only documentation need fix :) - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJU0ASiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePTH8QAN2I1IynNr/yx2WzLXmIcr3Z 5dNVHqZ3kv6Bavh4hYtodyka03I7W6Cjt5SYQIapLxVeJJUK7bgHcxLzCO4Oq5zM zoZ5NAKH618B43UiVTf2o8MjiPDkUnDwRThDBw9ZkRADrw/8w3y1BgRXV1n47F/n IthJbRnHSMhAVQQQwGggcb+8BLUJacFzkmLvvzRJfSP4P2sHlOC45yYJWBuE784/ EovXt70tqVE0z1u06EU9n+JRjVNDTnrjzZeh1wMvcoQGjGS3iD0oSsn6y+wNPSrC 6MPTpVzWtTAzaC/Rh7l2XHJYPIdm5vmsiYzBtPR+jp1mYOWRcpA/HuVNazN1+oWI 6RWrjkcg+Ep53lUGuh91UqbbN677WkjxFcK/ru70jBQuoLT9fV2HMSiOnUZ8bDsx SQsqH+DNNHSbjp/YTwvR21/Q31MUURpG172GKWsu0OYf9vnOhTSnzAqI066R2BGa PCn5vsBcJYjPnTNxQeLZxMmBGQ8p6fwyjtJW05Dlgv5uYuoNct9BFAJzj5D1FFzg sT544DQWlrVceK+5E9z9INP5WMNdsZ+bn09uXDugxWNzqUW656G+0Pz2xUnHZF9M uoQCpF+UQIPdFXddSH/mxr/KK4M7E3RRKoCcd70Vahc4mD9gOvv/KN9oXmJiFWnn 8mCyp+bwjlf22b+6noVc =1Ynq -----END PGP SIGNATURE-----