From owner-freebsd-net@freebsd.org Tue Sep 4 08:00:42 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F348FE6744 for ; Tue, 4 Sep 2018 08:00:42 +0000 (UTC) (envelope-from run00er@gmail.com) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F6238C6B6 for ; Tue, 4 Sep 2018 08:00:41 +0000 (UTC) (envelope-from run00er@gmail.com) Received: by mail-lj1-x236.google.com with SMTP id 203-v6so2297347ljj.13 for ; Tue, 04 Sep 2018 01:00:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=tjo7TviUGBZATxhxjcqKvaThco+Eq6eRbTpn7cYke4I=; b=UtbssYgbRAVHdO/OgnYwCgKDbF95TZ7lQcLCav8w32gnsuhwvwACy8N+RhwwyMTaZT txevk4rn9Tffo92IQOzdsALNKYkM9xYTz+NyAB9fAklz1n2PDqHqdwKT7PQcS3A+RfyA F6MkXLjzKpDyuhUK2OLjeI6AB5gqq8VDpq2fKwVU6iz63T1ORJ2KWBXDMcjnZC24fKhd sE9lYizmxSSoI+ScNMMeM6A1TXpwGXvmmrzNiVzR4/FpME0EujIaCwcmK0Gn9GnZyxG4 cW4WZfRGZRRzMUdzH1eotdMVF07deZ73pq0gcNwJV1L5iErLn1S10bpOgzqIxjA25bVp g5vQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=tjo7TviUGBZATxhxjcqKvaThco+Eq6eRbTpn7cYke4I=; b=IfRfpdlCvi0hJrzNbCzxuWgSaf5/69NYHc1uaBa4w4Uz+mOQVjhhhS1/eomBOBaQCx l2PSypnHXbcMzBcuymUVDVBjYqeOGYO5VlxC9RXrs+j/Y58GP8/wzgSvNTCv4X6qEIYr OjG6o5smZlCeBh+VKDVOM6SFYhOxETvG79BOn4e3/7nbKJx4paqq3421YKRNdUSxgBO8 m5sG0298IN/TfVKsBWrOz9qRiwPRjXB98YWL5nSRj7xhr1+qUPnYFyoPVUCTzUb7Lp40 ZoSZ9GrSSRdTv5WiUwoGMA+IFV2Q6Bxh3W0INQuqlpQlW79yqQn29nnGdGmghkAGIncO 7x6w== X-Gm-Message-State: APzg51B6ieJIK1z4nwHVHd1VDfAmv2e9x67wXh3OiUbx+KKnyhfI02FM etMT9MNdAfG/YSVnc7/qXHtocDIN X-Google-Smtp-Source: ANB0VdZ5J1owsRXXvLMzz8KCmhYDxpy8vJWAmDvauJ6+f4MbB1lMxL9G/9oY67x1/R0eOnDpiCrI5Q== X-Received: by 2002:a2e:350b:: with SMTP id z11-v6mr20432127ljz.55.1536048039724; Tue, 04 Sep 2018 01:00:39 -0700 (PDT) Received: from [10.0.0.59] ([193.111.156.141]) by smtp.gmail.com with ESMTPSA id b15-v6sm3981601lfg.18.2018.09.04.01.00.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Sep 2018 01:00:38 -0700 (PDT) Subject: Re: Ipfw fwd with route(8) RTF_BLACKHOLE and fast forwarding on FreeBSD 11 To: Eugene Grosbein , freebsd-net@freebsd.org References: <99f99bf0-59ef-11e7-d1a4-c34a40492308@gmail.com> <10c4591a-3d82-bddb-093d-a73da1d9b2b8@grosbein.net> From: Runer Message-ID: Date: Tue, 4 Sep 2018 11:00:38 +0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <10c4591a-3d82-bddb-093d-a73da1d9b2b8@grosbein.net> Content-Language: ru Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 08:00:42 -0000 Thank you Еugen for your reply. You have very clearly explained how to disable fast forwarding via kernel ipsec. From myself I will add. On this object (Server), the priority is in favor of fast forwarding. Filtering ICMP packets I will make ipfw rules.I think that even with the use of ipfw filter rules ICMP type, the speed of forwarding packets will not be lower than using "old forwarding". But still!Always want to use the most "ideal )" scheme for solving a specific problem. And in My specific case ipfw fwd + RTF_BLACKHOLE + fast forwarding would be very useful. I hope you Eugen understood what I mean! Once again many thanks for your time and help. 03.09.2018 13:12, Eugene Grosbein пишет: > 03.09.2018 14:02, Runer wrote: >> *Hello Community! >> >> A situation has arisen in which ipfw fwd stops working when >> RTF_BLACKHOLE or RTF_REJECT, ROUTE (8), is enabled on Freebsd 11 release. >> ** >> >> FreeBSD 11.2-RELEASE-p1 route add default 127.0.0.1 -blackhole –iface ipfw show00100 30 4056 fwd 10.0.0.5 ip from table(1) to not 10.0.0.0/8 in via em0 The packet counter changes, but forwarding does not work.On FreeBSD 10 everything works fine. I suppose this is due to changes to forwarding -> fast forwarding by default in FreeBSD 11 and man ROUTE (8), “BUGS - unless IP fast forwarding is enabled, in which case the meaning of the flag will always be honored.” >> I want to know if it's possible to implement the work ipfw fwd together with RTF_BLACKHOLE on FreeBSD 11 as before in FreeBSD 10? Thank you in advance! >> >> *** > As temporary workaround, you still can disable fast forwarding path: > > - make sure you use GENERIC kernel or your custom kernel has "options IPSEC_SUPPORT" like GENERIC has; > - load ipsec kernel module by means of /boot/loader.conf or /etc/rc.conf; > - add dummy security policy: > > printf "flush;\nspdflush;\n\nspdadd 100.64.0.1/32 100.64.0.2/32 esp -P out none;\n" > /etc/ipsec.conf > > It does nothing but prevents a kernel from using fast forwarding path for 11.2 > >