Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 06 Apr 2014 18:02:41 +0700
From:      Eugene Grosbein <eugen@grosbein.net>
To:        Brett Glass <brett@lariat.net>
Cc:        net@freebsd.org
Subject:   Re: More on odd IPFW behavior
Message-ID:  <53413451.4080400@grosbein.net>
In-Reply-To: <201404060427.WAA11607@mail.lariat.net>
References:  <201404060427.WAA11607@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06.04.2014 11:27, Brett Glass wrote:
> A bit more investigation of IPFW's behavior on VLAN interfaces has 
> revealed some even stranger stuff. Consider the tallies on the 
> following firewall rules:
> 
> # ipfw show | head
> 00001  65071  36685513 count ip from any to any layer2 via re0
> 00002  65303  36856334 count ip from any to any layer2 via re0_1
> 00003      6      3381 count ip from any to any layer2 via re0_2
> 00004  49338  35208527 count ip from any to any layer2 via re0_3
> 00005      0         0 count ip from any to any layer2 in recv re0
> 00006  65071  36685513 count ip from any to any layer2 out xmit re0
> 00007      0         0 count ip from any to any layer2 in recv re0_1
> 00008  65303  36856334 count ip from any to any layer2 out xmit re0_1
> 
> It looks as if, when one adds "in" and "out" to the rules, one 
> never sees any Layer 2 packets coming "in" on either a vlan(4) 
> interface or its parent. There might be a problem with general 
> brokenness in IPFW's "in" and "out" qualifiers when dealing with 
> Layer 2 packets, or something else might be wrong.... Not sure, but 
> this behavior is definitely weird. And note that, again, re0_1 (a 
> child interface) shows more packets than re0 (the parent). Weird. 
> Do not have experience with pf, so do not know if it would do 
> better, but IPFW certainly has something broken. Help in figuring 
> out what to propose as a patch would be MUCH appreciated.

Try to replace "count" with "allow" in the rule 6 and
"count" with "count log" in the rule 8 and look at /var/log/security
to find out "extra" packets that hit rule 8.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53413451.4080400>