From owner-freebsd-net@FreeBSD.ORG Thu May 30 11:46:41 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2D47362D for ; Thu, 30 May 2013 11:46:41 +0000 (UTC) (envelope-from andrnils@gmail.com) Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) by mx1.freebsd.org (Postfix) with ESMTP id EFEC67DD for ; Thu, 30 May 2013 11:46:40 +0000 (UTC) Received: by mail-ob0-f169.google.com with SMTP id up14so294100obb.28 for ; Thu, 30 May 2013 04:46:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=yGSuqMT+TgBIoHdeXWBcwnyQri1hEJnOy4xbw8bUODI=; b=z/BtGbZn+wctoXWN/hnYGwC/1pDAsPbNtjOOhttf7ZMTM9vW1gYjKSFvF3mjujVejJ 9P4xVNCNeKpxc+w1D5UXoOd3EdOZ1pxUE3mDY+f1lLYTNDW4GOYEaA3WIM5Xs4IRNF0G JCWLdEfTFDLGax51QX1A9vyCck6GAkT6klu2xbIRANI7mO1+rVsgSRAVq+dmekGMm3n1 7fpRgoEKPVoBzM791Woffkpbq5p4ADzeYiG1lwajWQzZFitKsIyyYrKp79VIZSUUaUbS M33Xw+jrsm7D4K1GC02XuTGzlWLNepC5r70xshz3qXrNALtGZ8zjLz3VMh1QVEVnlf+c Uj0g== MIME-Version: 1.0 X-Received: by 10.60.33.102 with SMTP id q6mr4001032oei.111.1369914400598; Thu, 30 May 2013 04:46:40 -0700 (PDT) Received: by 10.76.77.9 with HTTP; Thu, 30 May 2013 04:46:40 -0700 (PDT) In-Reply-To: <20130530110144.GC97854@nat.myhome> References: <20130530110144.GC97854@nat.myhome> Date: Thu, 30 May 2013 13:46:40 +0200 Message-ID: Subject: Re: IPFW tablearg questions From: Andreas Nilsson To: "Paul A. Procacci" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 11:46:41 -0000 On Thu, May 30, 2013 at 1:01 PM, Paul A. Procacci wrote: > > The question: > > Why can't you add a skipto to the default rule (65535)? > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html > > > I also consider using tablearg with divert, but manpage is contradicting > > itself in regards to divert with tablearg: > > " divert port > > Divert packets that match this rule to the divert(4) socket > > bound > > to port port. The search terminates." > > vs > > > > "The tablearg argument can be used with the following > > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, > skipto, > > setfib, action parameters: tag, untag, rule options: limit, tagged." > > > > Also, in the EXAMPLES section one can find: > > > > " In the following example per-interface firewall is created: > > > > ipfw table 10 add vlan20 12000 > > ipfw table 10 add vlan30 13000 > > ipfw table 20 add vlan20 22000 > > ipfw table 20 add vlan30 23000 > > .. > > ipfw add 100 ipfw skipto tablearg ip from any to any recv > > 'table(10)' in > > ipfw add 200 ipfw skipto tablearg ip from any to any xmit > > 'table(10)' out > > " > > where ipfw add 100 ipfw skipto seems wrong... > > I'm not sure where the contradiction is. Have you tried something like > the following as an example? I'm not sure the below works, but in my > mind it does. ;) > > ############################################# > ipfw table 10 add 129.168.0.0/24 1234 > ipfw table 10 add 10.5.21.0/24 5678 > ipfw add 100 divert tablearg ip from table(10) to any > ############################################# > > Perhaps knowing what it is you are trying to accomplish would lead > to a more concrete answer. > > ~Paul > > ________________________________ > > This message may contain confidential or privileged information. If you > are not the intended recipient, please advise us immediately and delete > this message. See http://www.datapipe.com/legal/email_disclaimer/ for > further information on confidentiality and the risks of non-secure > electronic communication. If you cannot access these links, please notify > us by reply message and we will send the contents to you. > Whoops, reply to all is good... The contradiction is that for most of the other directives in man-page, when it is possible to use tablearg it is listed, like fwd | forward ipaddr | tablearg[,port] or nat nat_nr | tablearg but not so for divert which just reads: divert port The pipe and queue directives as well are missing the | tablearg and corresponding description. Yes, your example is how I also imagine it to work. I'm pondering how something like: ipfw skipto tablearg all from any to any in { recv table(10) } ipfw add $rulenr divert tablearg tcp from table(11) to any ipfw add $rulenr fwd tablearg all from table(12) to any divert-output would work out. Best regards