From owner-freebsd-net@FreeBSD.ORG Thu May 30 11:02:33 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 68D698FB for ; Thu, 30 May 2013 11:02:33 +0000 (UTC) (envelope-from pprocacci@datapipe.com) Received: from EXFESMQ04.datapipe-corp.net (exfesmq04.datapipe.com [64.27.120.68]) by mx1.freebsd.org (Postfix) with ESMTP id 213753CE for ; Thu, 30 May 2013 11:02:32 +0000 (UTC) Received: from nat.myhome (192.168.128.21) by EXFESMQ04.datapipe-corp.net (192.168.128.29) with Microsoft SMTP Server (TLS) id 14.2.318.4; Thu, 30 May 2013 07:01:21 -0400 Date: Thu, 30 May 2013 06:01:44 -0500 From: "Paul A. Procacci" To: Andreas Nilsson Subject: Re: IPFW tablearg questions Message-ID: <20130530110144.GC97854@nat.myhome> References: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: [192.168.128.21] Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 11:02:33 -0000 > The question: > Why can't you add a skipto to the default rule (65535)? http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html > I also consider using tablearg with divert, but manpage is contradicting > itself in regards to divert with tablearg: > " divert port > Divert packets that match this rule to the divert(4) socket > bound > to port port. The search terminates." > vs > > "The tablearg argument can be used with the following > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto= , > setfib, action parameters: tag, untag, rule options: limit, tagged." > > Also, in the EXAMPLES section one can find: > > " In the following example per-interface firewall is created: > > ipfw table 10 add vlan20 12000 > ipfw table 10 add vlan30 13000 > ipfw table 20 add vlan20 22000 > ipfw table 20 add vlan30 23000 > .. > ipfw add 100 ipfw skipto tablearg ip from any to any recv > 'table(10)' in > ipfw add 200 ipfw skipto tablearg ip from any to any xmit > 'table(10)' out > " > where ipfw add 100 ipfw skipto seems wrong... I'm not sure where the contradiction is. Have you tried something like the following as an example? I'm not sure the below works, but in my mind it does. ;) ############################################# ipfw table 10 add 129.168.0.0/24 1234 ipfw table 10 add 10.5.21.0/24 5678 ipfw add 100 divert tablearg ip from table(10) to any ############################################# Perhaps knowing what it is you are trying to accomplish would lead to a more concrete answer. ~Paul ________________________________ This message may contain confidential or privileged information. If you are= not the intended recipient, please advise us immediately and delete this m= essage. See http://www.datapipe.com/legal/email_disclaimer/ for further inf= ormation on confidentiality and the risks of non-secure electronic communic= ation. If you cannot access these links, please notify us by reply message = and we will send the contents to you.