Date: Tue, 4 Sep 2018 11:00:38 +0300 From: Runer <run00er@gmail.com> To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org Subject: Re: Ipfw fwd with route(8) RTF_BLACKHOLE and fast forwarding on FreeBSD 11 Message-ID: <a524ca77-0afa-f65c-85b0-f8c4f051aa00@gmail.com> In-Reply-To: <10c4591a-3d82-bddb-093d-a73da1d9b2b8@grosbein.net> References: <99f99bf0-59ef-11e7-d1a4-c34a40492308@gmail.com> <10c4591a-3d82-bddb-093d-a73da1d9b2b8@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you Еugen for your reply. You have very clearly explained how to disable fast forwarding via kernel ipsec. From myself I will add. On this object (Server), the priority is in favor of fast forwarding. Filtering ICMP packets I will make ipfw rules.I think that even with the use of ipfw filter rules ICMP type, the speed of forwarding packets will not be lower than using "old forwarding". But still!Always want to use the most "ideal )" scheme for solving a specific problem. And in My specific case ipfw fwd + RTF_BLACKHOLE + fast forwarding would be very useful. I hope you Eugen understood what I mean! Once again many thanks for your time and help. 03.09.2018 13:12, Eugene Grosbein пишет: > 03.09.2018 14:02, Runer wrote: >> *Hello Community! >> >> A situation has arisen in which ipfw fwd stops working when >> RTF_BLACKHOLE or RTF_REJECT, ROUTE (8), is enabled on Freebsd 11 release. >> ** >> >> FreeBSD 11.2-RELEASE-p1 route add default 127.0.0.1 -blackhole –iface ipfw show00100 30 4056 fwd 10.0.0.5 ip from table(1) to not 10.0.0.0/8 in via em0 The packet counter changes, but forwarding does not work.On FreeBSD 10 everything works fine. I suppose this is due to changes to forwarding -> fast forwarding by default in FreeBSD 11 and man ROUTE (8), “BUGS - unless IP fast forwarding is enabled, in which case the meaning of the flag will always be honored.” >> I want to know if it's possible to implement the work ipfw fwd together with RTF_BLACKHOLE on FreeBSD 11 as before in FreeBSD 10? Thank you in advance! >> >> *** > As temporary workaround, you still can disable fast forwarding path: > > - make sure you use GENERIC kernel or your custom kernel has "options IPSEC_SUPPORT" like GENERIC has; > - load ipsec kernel module by means of /boot/loader.conf or /etc/rc.conf; > - add dummy security policy: > > printf "flush;\nspdflush;\n\nspdadd 100.64.0.1/32 100.64.0.2/32 esp -P out none;\n" > /etc/ipsec.conf > > It does nothing but prevents a kernel from using fast forwarding path for 11.2 > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a524ca77-0afa-f65c-85b0-f8c4f051aa00>