Date: Wed, 5 Mar 2014 10:26:32 -0300 From: Raimundo Santos <raitech@gmail.com> To: Andreas Nilsson <andrnils@gmail.com> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: ipfw / routing issue on 9.2-RELEASE Message-ID: <CAGQ6iC8-rXTerGBULzm1qo5it4tBnqL89eJn8-9kacsYaMRF%2Bg@mail.gmail.com> In-Reply-To: <CAPS9%2BSsbPsQLqu9mwz7nhcn%2BjMkkj57JUeHOO3U5xm9eXLYb8g@mail.gmail.com> References: <CAPS9%2BSsbPsQLqu9mwz7nhcn%2BjMkkj57JUeHOO3U5xm9eXLYb8g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Andreas. If table(12) is empty, how will fwd know where to send the packets that hits it? Best regards, Raimundo On 4 March 2014 02:58, Andreas Nilsson <andrnils@gmail.com> wrote: > Hello, > > I'm having a strange problem with ipfw and/or routing. I've only tested > this on 9.2-RELEASE-p3, amd64. The machine is sort of acting as router. The > ruleset is like (ipfw defaults to accept): > > $cmd="ipfw -fq " > > $cmd add 1 skipto 65534 log all from "table(1)" to any in recv "table(8)" > > ... > > $cmd add 65534 fwd tablearg all from "table(12)" to any > > Table 1 contains prefixes that should skip the normal rules and just pass > through the box. > > Table 8 contains interface names. > > Table 12 is empty (so far). > > What happens is that packets that trigger the first rule never get to their > destination. After looking at /var/log/security is see that packets trigger > the rule, "never to be seen again". There is a route (ie not default) for > the destination, but a tcpdump on the corresponding interface shows > nothing. > > > On changing the ruleset to > $cmd="ipfw -fq " > > $cmd add 1 skipto 65533 log all from "table(1)" to any in recv "table(8)" > > ... > > $cmd add 65533 fwd x.y.z.w ip from "table(1)" to any in recv "table(8)" > > $cmd add 65534 fwd tablearg all from "table(12)" to any > > packets get to where they should. > > > Why do I need the explict fwd rule? As far as I can see the ipfw man page > says nothing about skipto changing the packets, and since the 65533 rule in > the second ruleset triggers on the same thing as the skipto rule it would > seem like packets are "intact". Why does the kernel not forward those > packets? > > > Best regards > > Andreas Nilsson > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGQ6iC8-rXTerGBULzm1qo5it4tBnqL89eJn8-9kacsYaMRF%2Bg>