Date: Thu, 30 May 2013 13:46:40 +0200 From: Andreas Nilsson <andrnils@gmail.com> To: "Paul A. Procacci" <pprocacci@datapipe.com> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: IPFW tablearg questions Message-ID: <CAPS9%2BSuPYDpNd=o4fR1KhWWwDAm1HnwGgJ4KdMc_AqHce5NFOw@mail.gmail.com> In-Reply-To: <20130530110144.GC97854@nat.myhome> References: <CAPS9%2BSueiESR7bTr5amQ4k_36h=j6-BAnBQ00TZA=CA3PC28eQ@mail.gmail.com> <20130530110144.GC97854@nat.myhome>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 30, 2013 at 1:01 PM, Paul A. Procacci <pprocacci@datapipe.com>wrote: > > The question: > > Why can't you add a skipto to the default rule (65535)? > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html > > > I also consider using tablearg with divert, but manpage is contradicting > > itself in regards to divert with tablearg: > > " divert port > > Divert packets that match this rule to the divert(4) socket > > bound > > to port port. The search terminates." > > vs > > > > "The tablearg argument can be used with the following > > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, > skipto, > > setfib, action parameters: tag, untag, rule options: limit, tagged." > > > > Also, in the EXAMPLES section one can find: > > > > " In the following example per-interface firewall is created: > > > > ipfw table 10 add vlan20 12000 > > ipfw table 10 add vlan30 13000 > > ipfw table 20 add vlan20 22000 > > ipfw table 20 add vlan30 23000 > > .. > > ipfw add 100 ipfw skipto tablearg ip from any to any recv > > 'table(10)' in > > ipfw add 200 ipfw skipto tablearg ip from any to any xmit > > 'table(10)' out > > " > > where ipfw add 100 ipfw skipto seems wrong... > > I'm not sure where the contradiction is. Have you tried something like > the following as an example? I'm not sure the below works, but in my > mind it does. ;) > > ############################################# > ipfw table 10 add 129.168.0.0/24 1234 > ipfw table 10 add 10.5.21.0/24 5678 > ipfw add 100 divert tablearg ip from table(10) to any > ############################################# > > Perhaps knowing what it is you are trying to accomplish would lead > to a more concrete answer. > > ~Paul > > ________________________________ > > This message may contain confidential or privileged information. If you > are not the intended recipient, please advise us immediately and delete > this message. See http://www.datapipe.com/legal/email_disclaimer/ for > further information on confidentiality and the risks of non-secure > electronic communication. If you cannot access these links, please notify > us by reply message and we will send the contents to you. > Whoops, reply to all is good... The contradiction is that for most of the other directives in man-page, when it is possible to use tablearg it is listed, like fwd | forward ipaddr | tablearg[,port] or nat nat_nr | tablearg but not so for divert which just reads: divert port The pipe and queue directives as well are missing the | tablearg and corresponding description. Yes, your example is how I also imagine it to work. I'm pondering how something like: ipfw skipto tablearg all from any to any in { recv table(10) } ipfw add $rulenr divert tablearg tcp from table(11) to any ipfw add $rulenr fwd tablearg all from table(12) to any divert-output would work out. Best regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPS9%2BSuPYDpNd=o4fR1KhWWwDAm1HnwGgJ4KdMc_AqHce5NFOw>