Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Feb 2015 15:54:52 -0700
From:      John Nielsen <lists@jnielsen.net>
To:        lev@FreeBSD.org
Cc:        freebsd-net@freebsd.org
Subject:   Re: Does "setfib" in ipfw forces to re-route packet?
Message-ID:  <65FDDA6C-5910-4FBC-B43B-73BB72526AA5@jnielsen.net>
In-Reply-To: <54CEA776.1040505@FreeBSD.org>
References:  <54CEA776.1040505@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Feb 1, 2015, at 3:23 PM, Lev Serebryakov <lev@freebsd.org> wrote:

> "man 8 ipfw" doesn't state, that setting new fib on "out" packet
> (whrn routing decision is done and output interface is known) change
> routing decision:
>=20
> ""The packet is tagged so as to use the FIB (routing table) fibnum in
> any subsequent forwarding decisions.""
>=20
> But according to ip_output.c (around line 527) "setfib" FORCES to
> make NEW decision!
>=20
> Do I read sources right? Maybe, wording in ipfw(8) should be changed?

AFAIK, ipfw's setfib can only be usefully applied to incoming packets =
(before a routing decision is made) that are passing through (and not =
destined for) the FreeBSD machine as a router.

For locally-originated traffic you need to either start your =
application(s) using setfib(1) to begin with or use ipfw fwd rules to =
redirect the traffic (which essentially ignores the original routing =
decision). Be warned that FreeBSD 10.0 had a bug which broke ipfw fwd =
(see the errata).

I use the latter on a multi-homed non-router machine.

$IP1/$CIDR1 is assigned to $IF1, and $GW1 is the default route for the =
system (just one FIB). $IP2/$CIDR2 is assigned to $IF2, and I'd like =
traffic originating from $IP2 to use $GW2 instead of $GW1. $LOCALTABLE =
is an ipfw table containing directly-connected subnets (traffic for =
which does not need to be routed).

ipfw table $LOCALTABLE add $IP1/$CIDR1
ipfw table $LOCALTABLE add $IP2/$CIDR2
ipfw table $LOCALTABLE add 127.0.0.0/8
...
ipfw fwd $GW2 ip from $IP2 to not "table($LOCALTABLE)" out via $IF1


JN

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65FDDA6C-5910-4FBC-B43B-73BB72526AA5>