Re: IPFW missing feature
KES wrote: > , Lowell. > > ?? ?? 16 ?? 2009 ?., 15:22:31: > > LG> KES writes: > >>> The tablearg feature provides the ability to use a value, looked up in >>> the table, as the argument for a rule action, action parameter or rule >>> option. This can significantly reduce number of rules in some >>> configura- >>> tions. If two tables are used in a rule, the result of the second >>> (des- >>> tination) is used. The tablearg argument can be used with the >>> following >>> actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto >>> action parameters: tag, untag, rule options: limit, tagged. >>> >>> >>> Why tablearg cannot be used with setfib? > > LG> Because tables are a feature of IPFW, and the FIB isn't. > > setfib is also feature of ipfw. see man: > > setfib fibnum > The packet is tagged so as to use the FIB (routing table) fibnum > in any subsequent forwarding decisions. Initially this is limited > to the values 0 through 15. See setfib(8). Processing continues > at the next rule. > > There is no any difficulties to use 'tablearg' as 'fibnum' > > ipfw add 3 setfib 2 all from 192.168.0.0/16 to any in recv > ipfw add 3 setfib tablearg all from table() to any in recv > > but now this is not mistake to write 'setfib tablearg'. IPFW just > replace tablearg in rule with 0 > It seems like a bug. because of it MUST work in proper way or DO NOT > work at all. IMHO I use tablearg with netgraph. For example, ipfw add netgraph tablearg all from 'table(9)' to any in When I run ipfw show, I see: 02380 408 60358 netgraph tablearg ip from any to table(9) in KES, do you mean to say that when you run `ipfw show' the rule is echoed back to you as: setfib 0 all from table() to any in recv instead of tablearg? If that's the case, it sounds like ipfw is parsing the rule incorrectly. If tablearg isn't supported by setfib, I would expect a syntax error to be thrown and not a different rule being inserted into your ruleset. If this is the behavior you're seeing, you should run it by the folks on the -net mailing list. That would also be a good place to ask about future plans to support this feature. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgp9RVXkdJwBy.pgp Description: PGP signature
Re: IPFW missing feature
KES writes: > Здравствуйте, Lowell. > > Вы писали 16 апреля 2009 г., 15:22:31: > > LG> KES writes: > >>> The tablearg feature provides the ability to use a value, looked up in >>> the table, as the argument for a rule action, action parameter or rule >>> option. This can significantly reduce number of rules in some >>> configura- >>> tions. If two tables are used in a rule, the result of the second >>> (des- >>> tination) is used. The tablearg argument can be used with the >>> following >>> actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto >>> action parameters: tag, untag, rule options: limit, tagged. >>> >>> >>> Why tablearg cannot be used with setfib? > > LG> Because tables are a feature of IPFW, and the FIB isn't. > > setfib is also feature of ipfw. see man: > > setfib fibnum > The packet is tagged so as to use the FIB (routing table) fibnum > in any subsequent forwarding decisions. Initially this is limited > to the values 0 through 15. See setfib(8). Processing continues > at the next rule. > > There is no any difficulties to use 'tablearg' as 'fibnum' > > ipfw add 3 setfib 2 all from 192.168.0.0/16 to any in recv > ipfw add 3 setfib tablearg all from table() to any in recv > > but now this is not mistake to write 'setfib tablearg'. IPFW just replace > tablearg in rule with 0 > It seems like a bug. because of it MUST work in proper way or DO NOT > work at all. IMHO This does not make sense to me. What do you expect the "tablearg" to be in the second line you listed? That keyword is used to apply the output of an ipfw table lookup, and you haven't used an ipfw table before that line. If you want table() to give back a fib to use, then you need to do that lookup before you do a setfib action. On the other hand, I don't see any point in doing that, because there can only be one result for a given address in your table(), so there's no reason to have more than one FIB. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: IPFW missing feature
KES writes: > The tablearg feature provides the ability to use a value, looked up in > the table, as the argument for a rule action, action parameter or rule > option. This can significantly reduce number of rules in some configura- > tions. If two tables are used in a rule, the result of the second (des- > tination) is used. The tablearg argument can be used with the following > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto > action parameters: tag, untag, rule options: limit, tagged. > > > Why tablearg cannot be used with setfib? Because tables are a feature of IPFW, and the FIB isn't. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"