From owner-freebsd-net@FreeBSD.ORG Wed Mar 5 19:44:52 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0F4F7A7E for ; Wed, 5 Mar 2014 19:44:52 +0000 (UTC) Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CD050401 for ; Wed, 5 Mar 2014 19:44:51 +0000 (UTC) Received: by mail-oa0-f48.google.com with SMTP id m1so1533736oag.7 for ; Wed, 05 Mar 2014 11:44:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BHnpHZKlpPoMEVFTwH8uN5wE0J9P1mXnr94ExZ/1Geo=; b=lqFOlapn8Iw80nPwhpmHDLzxiCIqrjlw+N8GvA1JClr4nLtfFYxcC5bXQuNp6bhvf3 F7YoM584Dn1Rpvrb8xeR7//WS4rq4/kfN3UHVknTGZuwsKwwN9LWAqrik8+dE+v5DMFF rGm2vabXGNy3Lj/nbnTTR2YCmvNICWcE6zR7PV/SpnwAN6C1m0jL//hnbxq1b5r8Kh+T CtHRKAzDyM3GSYmM3W5TWN5Mlo4Dr7keVVAY6lXCid2+0kGaI1Y6sf/g5KPI2s4YuEE1 xeu7fKHqGxqRJ9MWahRZDVTPwIPLunoucoyn7/6I8jMxc39+G8rrIV6Lx25eiz3BusOF Ke2A== MIME-Version: 1.0 X-Received: by 10.182.43.161 with SMTP id x1mr6106732obl.5.1394048691220; Wed, 05 Mar 2014 11:44:51 -0800 (PST) Received: by 10.76.144.10 with HTTP; Wed, 5 Mar 2014 11:44:51 -0800 (PST) In-Reply-To: <531771C8.1040207@yandex.ru> References: <531771C8.1040207@yandex.ru> Date: Wed, 5 Mar 2014 20:44:51 +0100 Message-ID: Subject: Re: ipfw / routing issue on 9.2-RELEASE From: Andreas Nilsson To: "Andrey V. Elsukov" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 19:44:52 -0000 On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov wrote: > On 04.03.2014 09:58, Andreas Nilsson wrote: > > Why do I need the explict fwd rule? As far as I can see the ipfw man page > > says nothing about skipto changing the packets, and since the 65533 rule > in > > the second ruleset triggers on the same thing as the skipto rule it would > > seem like packets are "intact". Why does the kernel not forward those > > packets? > > What is the last rule? I suspect it is "deny all"? > No, last rule is allow any from any set via loader tunable net.inet.ip.fw.default_to_accept=1 For clarity : 00001 0 0 skipto 65534 log all from table(1) to any in recv table(8) 00002 6331546 601809038 skipto 13 ip from any to any in recv table(8) 00003 821402 247261846 allow ip from table(2) to any 00004 0 0 allow ip from table(3) to me dst-port 2121 00005 0 0 allow ip from table(4) to me dst-port 161 00006 0 0 allow ip from me to table(4) dst-port 162 00007 0 0 allow ip from me to table(5) dst-port 514 00008 20865 7823308 allow ip from table(6) to any dst-port 179 00009 6331564 753767359 allow { gre or ipencap } from table(6) to any 00010 3270 294972 allow icmp from table(7) to any 00011 4 617 allow icmp from any to me icmptypes 3 00012 5075 323759 deny ip from any to me 00013 1656214 123067475 divert tablearg tcp from any to any in recv table(8) 65534 0 0 fwd tablearg ip from table(12) to any 65535 11389470 1158795869 allow ip from any to any With the above ruleset a packet 1) triggering the first rule ( ie skipto no-op and the allow from any to any ) is lost. 2) triggering the second rule (ie skipto divert rule which returns it to the stack ) is forwarded. Best regards Andreas > > -- > WBR, Andrey V. Elsukov >