From owner-freebsd-current@freebsd.org  Tue Jan  9 18:26:19 2018
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 927DBE68B55;
 Tue,  9 Jan 2018 18:26:19 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward104o.mail.yandex.net (forward104o.mail.yandex.net
 [IPv6:2a02:6b8:0:1a2d::607])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 301BE6998B;
 Tue,  9 Jan 2018 18:26:19 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mxback11g.mail.yandex.net (mxback11g.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b7:90])
 by forward104o.mail.yandex.net (Yandex) with ESMTP id 3CAD770320E;
 Tue,  9 Jan 2018 21:26:15 +0300 (MSK)
Received: from smtp1p.mail.yandex.net (smtp1p.mail.yandex.net
 [2a02:6b8:0:1472:2741:0:8b6:6])
 by mxback11g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id dd0r9c8cYP-QFZqpPa0;
 Tue, 09 Jan 2018 21:26:15 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1515522375; bh=OigOFx3UUjm7RgaCoB6YHSAcHDn8yhjTXCIKCiwjfw0=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=e+soMPQvgxsEu9+OP29m1Oa+LgjlQXsN8Lj8qUmAqBSpJ7sK+gS+93dE/xLEL71WZ
 hp929d9ako1vvjy/Bpc+pBTJgqkFQoq6EF04Nc5Wg4RJ/AmwQtA3s/krBWCVE70OS+
 DBVKDxmP97weRkLOd7JDVI40YF1CflE2+3Qor86E=
Received: by smtp1p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 0V4If2IlfM-QEsGoYf9; Tue, 09 Jan 2018 21:26:14 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1515522374; bh=OigOFx3UUjm7RgaCoB6YHSAcHDn8yhjTXCIKCiwjfw0=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=A3lIpf2cJvcWRqgLLlPNDOsB++fxk0B5dsqboNBkHJc9gy7RyKYuCfjg0/PJ45Esn
 ZW4YsTudGgVWw4MSIWFOz2gFX8t1aR6PP9wHhzr3BHAUk1KmDoaCY1yTNr0+Vv8skT
 VTKlaoidh4I7S4TWbEls+XZ3bjp/ntJz3hh3nyTg=
Authentication-Results: smtp1p.mail.yandex.net; dkim=pass header.i=@yandex.ru
Subject: Re: ipfw: manpage: semantics of "receive" and "xmit" interfaces
To: "O. Hartmann" <ohartmann@walstatt.org>,
 freebsd-current <freebsd-current@freebsd.org>, freebsd-ipfw@freebsd.org
References: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Message-ID: <5e6811ff-70c6-ee74-bf04-1319e9002b29@yandex.ru>
Date: Tue, 9 Jan 2018 21:23:54 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT"
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2018 18:26:19 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT
Content-Type: multipart/mixed; boundary="B7DR8RluztSdH7yswzwe7UbEIGYyiAv1L";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: "O. Hartmann" <ohartmann@walstatt.org>,
 freebsd-current <freebsd-current@freebsd.org>, freebsd-ipfw@freebsd.org
Message-ID: <5e6811ff-70c6-ee74-bf04-1319e9002b29@yandex.ru>
Subject: Re: ipfw: manpage: semantics of "receive" and "xmit" interfaces
References: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de>
In-Reply-To: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de>

--B7DR8RluztSdH7yswzwe7UbEIGYyiAv1L
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 09.01.2018 12:28, O. Hartmann wrote:
> In section RULE OPTIONS, there is recv|xmit|via explained (a bit). Ther=
e is
> also an example:
>=20
> ipfw add deny ip from any to any out recv ed0 xmit ed1
>=20
> Can someone explain a bit more what the semantics of these is? I get es=
pecially
> confused by the subsequent blocks of text following the line I mentione=
d above.
> Since not everybody using FreeBSD is capable of studying the kernel sou=
rces, I
> have difficulties to put those statements in line with a visualization =
of the
> packet flow. A local host receiving a packets destined for the local ho=
st can
> not have xmit interface? If I imagine, that the recv interface might be=
 the
> interface adjacent directly to the in/out port depicted in section PACK=
ET FLOW
> it doesn't give me any idea why there is no xmit interface.=20

When your system has two interfaces ed0 and ed1, and it acts as router,
a forwarded packet can be checked by firewall two times:

1. When a packet is received on ed0 interface, mbuf associated with this
packet gets a property "receiving interface". This packet is checked for
inbound direction and can be matched by "in" and "recv ed0" opcodes.
If it was not dropped by rules, it will go through IP stack and can be
forwarded according to routing table via interface ed1.

2. When the routing decision was made (i.e. outbound interface is
determined) a packet checked by firewall again, now for outbound
direction. And it can be matched by "out" and "xmit ed1" opcodes. The
opcode "recv ed0" still can be matched too, but "in" opcode will not
matched.

A packet destined for local host is consumed by local IP stack and will
not forwarded. It is checked by firewall only one time (usually). Thus
it can not have xmit interface.

--=20
WBR, Andrey V. Elsukov


--B7DR8RluztSdH7yswzwe7UbEIGYyiAv1L--

--PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpVCLoACgkQAcXqBBDI
oXrg7Af/UtYkLPPXrtOpqbvB4vuAUtHygXAujjmDUcfqtbFfxp2H4hEUotXJuPIk
xNp8Y8TQxb6bOWwwJiqJgvVAYPVT5ffob0Rb6iYZ0JDTL6qRGJ32vSorGaEF8kn+
MIV077lYAuTn+JUQE5Ecx8hw4UbBu820CvxY1hPhWsKCBfFpIgOsR59uKw1B5dmU
NmQ6leTGfKIOPO1rsjnSIpxm4lBCSwXThsTIZDVaxF1DeF9MzZUOnEgXDZw7EYSL
5xoF6oMZcRtZ7KXW8yCg52iPNMoJudi9BjP/d8gE5YB/9vsM6zeDv1CC3bjS317b
3v0WsYurElm5lQABSR7tuJ2qubDTAg==
=79yQ
-----END PGP SIGNATURE-----

--PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT--