From owner-freebsd-questions@freebsd.org Tue Aug 18 22:41:39 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D4979BD402 for ; Tue, 18 Aug 2015 22:41:39 +0000 (UTC) (envelope-from ascherrer@gmail.com) Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C78F319F3 for ; Tue, 18 Aug 2015 22:41:38 +0000 (UTC) (envelope-from ascherrer@gmail.com) Received: by wicja10 with SMTP id ja10so120753519wic.1 for ; Tue, 18 Aug 2015 15:41:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=8ytFMAR+AtstpYmYq8iFvqPKWaRQTWbms1rYFyraeZw=; b=yJ0coWcZ71gc4C+ABR3w9EBJdc6AH/kD5LeSUHy0bsP2xp1KxoOTgxrXb9sdeUe3pr ZnKGfz3t0mem5H75LJ4gHFZs0l0xm6Ww0u+uxDO4CByP7Bax8lGcsqXo2S8q+7aybnCO WwcaDueOQcPgomK5/+YwO8LpB2Ola2jlxmMmcyy9q5/9HO+goRqnwTlPUnE63dYTW4In CZT1bRHMFlIXnU2jW9RW+ToiIutrL06W5tdd+eKxDbuI+cSpcEhSFkQvKaa9DAV53+g0 vqOHUX7nmwRQRJiyFcm6ZyQxQg9o9hQN5mpY809QFWltVW96V2mcbFyTgR4nNJ477sVk UL8w== X-Received: by 10.180.205.230 with SMTP id lj6mr49471960wic.82.1439937697320; Tue, 18 Aug 2015 15:41:37 -0700 (PDT) Received: from manzana.hws.homeip.net ([2001:470:b71d:0:225:ff:fef2:447f]) by smtp.gmail.com with ESMTPSA id z11sm23226785wij.9.2015.08.18.15.41.36 for (version=TLSv1/SSLv3 cipher=OTHER); Tue, 18 Aug 2015 15:41:36 -0700 (PDT) Message-ID: <55D3B49F.5010309@gmail.com> Date: Wed, 19 Aug 2015 00:41:35 +0200 From: andreas scherrer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: ipfw's "via" rule option/match pattern Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 22:41:39 -0000 Dear all I am struggling to understand ifpw's "via" rule option. I am on FreeBSD 10.1-release-p16 I have read ipfw(8) [1] many times by now but I still find it confusing: "The via keyword causes the interface to always be checked. If recv or xmit is used instead of via, then only the receive or transmit interface (respectively) is checked." What does "the interface is checked" mean in this context? And what is a common use case for the "via" rule option as opposed to recv/xmit? "in via" seems to be the same as "in recv" anyway (because "in xmit" is invalid) if I read "via" as "recv or xmit"... I have also read (and I believe understood) [2], [3] and [4]. But it somehow contradicts what I see on my system. Or at least I think so. Mainly they all state that something like ... out via ifX matches packets that are *going through* a box (read: are forwarded) if they came in on interface ifX and are leaving the box via ifY. That would be because the packet's receive interface is checked when it leaves the box and because it entered the box on ifX the rule matches (even if the packet leaves the box on ifY). [4]: "Again, 'out via $wan_if' is ambiguous, and includes packets _received_ on $wan_if and now being transmitted to the inside" When I run a quick test, sending one ICMP echo request from 192.168.32.10 to 192.168.38.17 (two devices communicating via the box that has the "count" rules listed below configured), I get the following result: ----- When 192.168.38.17 does not answer the ping: 00350 2 168 count icmp from 192.168.32.10 to 192.168.38.17 recv re0.32 00350 0 0 count icmp from 192.168.38.17 to 192.168.32.10 recv re0.38 00351 1 84 count icmp from 192.168.32.10 to 192.168.38.17 in recv re0.32 00351 0 0 count icmp from 192.168.38.17 to 192.168.32.10 in recv re0.38 00352 1 84 count icmp from 192.168.32.10 to 192.168.38.17 out recv re0.32 00352 0 0 count icmp from 192.168.38.17 to 192.168.32.10 out recv re0.38 00355 1 84 count icmp from 192.168.32.10 to 192.168.38.17 via re0.32 00355 0 0 count icmp from 192.168.38.17 to 192.168.32.10 via re0.38 00356 1 84 count icmp from 192.168.32.10 to 192.168.38.17 in via re0.32 00356 0 0 count icmp from 192.168.38.17 to 192.168.32.10 in via re0.38 00357 0 0 count icmp from 192.168.32.10 to 192.168.38.17 out via re0.32 00357 0 0 count icmp from 192.168.38.17 to 192.168.32.10 out via re0.38 00358 1 84 count icmp from 192.168.32.10 to 192.168.38.17 out recv re0.32 xmit re0.38 00358 0 0 count icmp from 192.168.38.17 to 192.168.32.10 out recv re0.38 xmit re0.32 When 192.168.38.17 does answer the ping: 00350 2 168 count icmp from 192.168.32.10 to 192.168.38.17 recv re0.32 00350 2 168 count icmp from 192.168.38.17 to 192.168.32.10 recv re0.38 00351 1 84 count icmp from 192.168.32.10 to 192.168.38.17 in recv re0.32 00351 1 84 count icmp from 192.168.38.17 to 192.168.32.10 in recv re0.38 00352 1 84 count icmp from 192.168.32.10 to 192.168.38.17 out recv re0.32 00352 1 84 count icmp from 192.168.38.17 to 192.168.32.10 out recv re0.38 00355 1 84 count icmp from 192.168.32.10 to 192.168.38.17 via re0.32 00355 1 84 count icmp from 192.168.38.17 to 192.168.32.10 via re0.38 00356 1 84 count icmp from 192.168.32.10 to 192.168.38.17 in via re0.32 00356 1 84 count icmp from 192.168.38.17 to 192.168.32.10 in via re0.38 00357 0 0 count icmp from 192.168.32.10 to 192.168.38.17 out via re0.32 00357 0 0 count icmp from 192.168.38.17 to 192.168.32.10 out via re0.38 00358 1 84 count icmp from 192.168.32.10 to 192.168.38.17 out recv re0.32 xmit re0.38 00358 1 84 count icmp from 192.168.38.17 to 192.168.32.10 out recv re0.38 xmit re0.32 ----- According to the statement in [4] I would expect rule 357 to match... Can anyone shed some light on that topic for me? I have a feeling that my understanding that "via" is "recv or xmit" is not correct. Thanks in advance andreas [1] https://www.freebsd.org/cgi/man.cgi?query=ipfw(8) [2] https://lists.freebsd.org/pipermail/freebsd-questions/2005-July/094739.html [3] https://groups.google.com/forum/#!topic/comp.unix.bsd.freebsd.misc/AkDSKlUmVok [4] https://lists.freebsd.org/pipermail/freebsd-questions/2011-June/231271.html