Re: ipfw / routing issue on 9.2-RELEASE

Wed, 05 Mar 2014 20:02:21 -0800 

On Wed, 5 Mar 2014 20:44:51 +0100, Andreas Nilsson wrote:
 > On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov <bu7c...@yandex.ru> wrote:
 > 
 > > On 04.03.2014 09:58, Andreas Nilsson wrote:
 > > > Why do I need the explict fwd rule? As far as I can see the ipfw man page
 > > > says nothing about skipto changing the packets, and since the 65533 rule
 > > in
 > > > the second ruleset triggers on the same thing as the skipto rule it would
 > > > seem like packets are "intact". Why does the kernel not forward those
 > > > packets?
 > >
 > > What is the last rule? I suspect it is "deny all"?
 > >
 > 
 > No, last rule is allow any from any set via loader tunable
 > net.inet.ip.fw.default_to_accept=1
 > 
 > For clarity :
 > 
 > 00001        0          0 skipto 65534 log all from table(1) to any in recv
 > table(8)
 > 
 > 00002  6331546  601809038 skipto 13 ip from any to any in recv table(8)
 > 
 > 00003   821402  247261846 allow ip from table(2) to any
 > 
 > 00004        0          0 allow ip from table(3) to me dst-port 2121
 > 
 > 00005        0          0 allow ip from table(4) to me dst-port 161
 > 
 > 00006        0          0 allow ip from me to table(4) dst-port 162
 > 
 > 00007        0          0 allow ip from me to table(5) dst-port 514
 > 
 > 00008    20865    7823308 allow ip from table(6) to any dst-port 179
 > 
 > 00009  6331564  753767359 allow { gre or ipencap } from table(6) to any
 > 
 > 00010     3270     294972 allow icmp from table(7) to any
 > 
 > 00011        4        617 allow icmp from any to me icmptypes 3
 > 
 > 00012     5075     323759 deny ip from any to me
 > 
 > 00013    1656214  123067475 divert tablearg tcp from any to any in recv
 > table(8)
 > 
 > 65534        0          0 fwd tablearg ip from table(12) to any
 > 
 > 65535 11389470 1158795869 allow ip from any to any
 > 
 > With the above ruleset a packet
 > 1) triggering the first rule ( ie skipto no-op and the allow from any to
 > any ) is lost.

The count on rule 1 is zero, so no packets matched it, not were 'lost'?

 > 2) triggering the second rule (ie skipto divert rule which returns it to
 > the stack ) is forwarded.
 > 
 > Best regards
 > Andreas
 > 
 > >
 > > --
 > > WBR, Andrey V. Elsukov

If at some other times rule 1 IS matched, I suggest some renumbering so 
you can put 'count log' rules both before and after the 'fwd tablearg' 
rule; then if they 'disappear' you can see exactly where.

cheers, Ian
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to