From owner-freebsd-ipfw@freebsd.org Tue Jan 9 09:28:17 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 774D2E71275; Tue, 9 Jan 2018 09:28:17 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D94C8731C8; Tue, 9 Jan 2018 09:28:16 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from freyja.zeit4.iv.bundesimmobilien.de ([87.138.105.249]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LoVja-1f6G513NYQ-00gXci; Tue, 09 Jan 2018 10:28:13 +0100 Date: Tue, 9 Jan 2018 10:28:13 +0100 From: "O. Hartmann" To: freebsd-current , freebsd-ipfw@freebsd.org Subject: ipfw: manpage: semantics of "receive" and "xmit" interfaces Message-ID: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de> Organization: Walstatt MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:mq+cuV3ySu8lxOX1qfEGF9txahhSP7odxonSBJxe6Wx59GjWzk3 W5rTKExpQi+FKZFjmh90KyPECjJir6csgBBfRetVOB0L+swxmvN53q+Rg/6hmUzj9gJNnL+ TuJotUSPd6MxHqH5Q7ZTrTjrpGpsisjHRYFDBZtNyNCPEOCn5Zx1sZO6zToJIT54V7tSYCJ lxnLfp3A+tZRaqNSxewFw== X-UI-Out-Filterresults: notjunk:1;V01:K0:NMgAgjFtdww=:k3CdCgLy/MAPqIwihC0Ssw e+pFrDlnC1uA77oriNBCE68xHJtrMRif4npqMglWX0Znsu6g8nQipfIrugizDPHDxz3EokjYB xm6cdGiCGM1eJkT9AWS1acNK9JaeCG3jXs45kOoWyjvdKQDY/pI06hqn6tygHqkRYEsnKNKz0 fAsWLjRBmAPEIZnZoVElQbkfM2wyE/yVwTkOaCGKdNfLifMsBF7K+dmEIWmOfgWYgHh/ZRlfe paRlMoUOl/BuyyPvpOJwGjPKLXaYIeg169xyCvPDgSAoraRg6tSPl15aOHXWONN6M5tVwVuzZ Q0WV0GataGO76R1D1VF2g3oXnp/TNbAj6oEWsBDBvhdWOe5GN9Vr2B/b5kFzf6/+F1SB9Jr9W M1iUScYkoTGo3CfKyYUxRiExt34LlainlgA5DNfdc+Dz9LH79Q80Nm3n6eJlVwNdNCjCagh7G 6waGyQQTQeHeUu1SGfPLXmi05SEck3HszQDRxKqx+wMGxLGcjMjohTJwoCsE8eaXmqOi3hL2u 1fVtUEhZsoUZkx+BChPQXDOKgWMv4HFlmCeusfbIs8CRxNLCris9bTK7+cuxzpULfuZ8UHFvZ I9ovRP19nT1E6eIr//iaiQs0XuCw4d0yojKSPtIfleEaEOgwvhuBZLPvBVPVxF8ap+cE2u/vG pVfjgh/aRDsE5HxuAVA6A8/SOeUf4c/ZZshsTh/SOEoIMNfuobZxx8lUycJtsy46CB4qZLYzO zIfyKyO5T7ziVj9sSJ9fbcVFXtcM/i+Ik4/ORjhkbqn6mgslsyKUTubY2j9+nH60KRWDWQGJl XgQ8oCT2P6ddlg8sZKlIfqYx6f3vfQnibu9BrhzKy5Zo4IfGvc= X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jan 2018 09:28:17 -0000 I feel confused by the ipfw manpage, while trying to setup a set of filtering rules on a small router project with in-kernel NAT. It is a kind of hard based on the ipfw man page to figure out, what the meaning is of the receive and xmit interface. Maybe it is only me that has problems, but I doubt it, since I tried to ask around my department and it broke loose a discussion - based upon what one can read in the manpage - not reading source codes. In section RULE OPTIONS, there is recv|xmit|via explained (a bit). There is also an example: ipfw add deny ip from any to any out recv ed0 xmit ed1 Can someone explain a bit more what the semantics of these is? I get especially confused by the subsequent blocks of text following the line I mentioned above. Since not everybody using FreeBSD is capable of studying the kernel sources, I have difficulties to put those statements in line with a visualization of the packet flow. A local host receiving a packets destined for the local host can not have xmit interface? If I imagine, that the recv interface might be the interface adjacent directly to the in/out port depicted in section PACKET FLOW it doesn't give me any idea why there is no xmit interface. If it's my dumb brain missing things, I'm sorry. Otherwise I'd be glad to have some more informations and maybe the manpage could be enriched with some notes helping other poor people like me. Thanks in advance, Oliver From owner-freebsd-ipfw@freebsd.org Tue Jan 9 18:26:19 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 927DBE68B55; Tue, 9 Jan 2018 18:26:19 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward104o.mail.yandex.net (forward104o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::607]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 301BE6998B; Tue, 9 Jan 2018 18:26:19 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback11g.mail.yandex.net (mxback11g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:90]) by forward104o.mail.yandex.net (Yandex) with ESMTP id 3CAD770320E; Tue, 9 Jan 2018 21:26:15 +0300 (MSK) Received: from smtp1p.mail.yandex.net (smtp1p.mail.yandex.net [2a02:6b8:0:1472:2741:0:8b6:6]) by mxback11g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id dd0r9c8cYP-QFZqpPa0; Tue, 09 Jan 2018 21:26:15 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1515522375; bh=OigOFx3UUjm7RgaCoB6YHSAcHDn8yhjTXCIKCiwjfw0=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=e+soMPQvgxsEu9+OP29m1Oa+LgjlQXsN8Lj8qUmAqBSpJ7sK+gS+93dE/xLEL71WZ hp929d9ako1vvjy/Bpc+pBTJgqkFQoq6EF04Nc5Wg4RJ/AmwQtA3s/krBWCVE70OS+ DBVKDxmP97weRkLOd7JDVI40YF1CflE2+3Qor86E= Received: by smtp1p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 0V4If2IlfM-QEsGoYf9; Tue, 09 Jan 2018 21:26:14 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1515522374; bh=OigOFx3UUjm7RgaCoB6YHSAcHDn8yhjTXCIKCiwjfw0=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=A3lIpf2cJvcWRqgLLlPNDOsB++fxk0B5dsqboNBkHJc9gy7RyKYuCfjg0/PJ45Esn ZW4YsTudGgVWw4MSIWFOz2gFX8t1aR6PP9wHhzr3BHAUk1KmDoaCY1yTNr0+Vv8skT VTKlaoidh4I7S4TWbEls+XZ3bjp/ntJz3hh3nyTg= Authentication-Results: smtp1p.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: ipfw: manpage: semantics of "receive" and "xmit" interfaces To: "O. Hartmann" , freebsd-current , freebsd-ipfw@freebsd.org References: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <5e6811ff-70c6-ee74-bf04-1319e9002b29@yandex.ru> Date: Tue, 9 Jan 2018 21:23:54 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jan 2018 18:26:19 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT Content-Type: multipart/mixed; boundary="B7DR8RluztSdH7yswzwe7UbEIGYyiAv1L"; protected-headers="v1" From: "Andrey V. Elsukov" To: "O. Hartmann" , freebsd-current , freebsd-ipfw@freebsd.org Message-ID: <5e6811ff-70c6-ee74-bf04-1319e9002b29@yandex.ru> Subject: Re: ipfw: manpage: semantics of "receive" and "xmit" interfaces References: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de> In-Reply-To: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de> --B7DR8RluztSdH7yswzwe7UbEIGYyiAv1L Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 09.01.2018 12:28, O. Hartmann wrote: > In section RULE OPTIONS, there is recv|xmit|via explained (a bit). Ther= e is > also an example: >=20 > ipfw add deny ip from any to any out recv ed0 xmit ed1 >=20 > Can someone explain a bit more what the semantics of these is? I get es= pecially > confused by the subsequent blocks of text following the line I mentione= d above. > Since not everybody using FreeBSD is capable of studying the kernel sou= rces, I > have difficulties to put those statements in line with a visualization = of the > packet flow. A local host receiving a packets destined for the local ho= st can > not have xmit interface? If I imagine, that the recv interface might be= the > interface adjacent directly to the in/out port depicted in section PACK= ET FLOW > it doesn't give me any idea why there is no xmit interface.=20 When your system has two interfaces ed0 and ed1, and it acts as router, a forwarded packet can be checked by firewall two times: 1. When a packet is received on ed0 interface, mbuf associated with this packet gets a property "receiving interface". This packet is checked for inbound direction and can be matched by "in" and "recv ed0" opcodes. If it was not dropped by rules, it will go through IP stack and can be forwarded according to routing table via interface ed1. 2. When the routing decision was made (i.e. outbound interface is determined) a packet checked by firewall again, now for outbound direction. And it can be matched by "out" and "xmit ed1" opcodes. The opcode "recv ed0" still can be matched too, but "in" opcode will not matched. A packet destined for local host is consumed by local IP stack and will not forwarded. It is checked by firewall only one time (usually). Thus it can not have xmit interface. --=20 WBR, Andrey V. Elsukov --B7DR8RluztSdH7yswzwe7UbEIGYyiAv1L-- --PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpVCLoACgkQAcXqBBDI oXrg7Af/UtYkLPPXrtOpqbvB4vuAUtHygXAujjmDUcfqtbFfxp2H4hEUotXJuPIk xNp8Y8TQxb6bOWwwJiqJgvVAYPVT5ffob0Rb6iYZ0JDTL6qRGJ32vSorGaEF8kn+ MIV077lYAuTn+JUQE5Ecx8hw4UbBu820CvxY1hPhWsKCBfFpIgOsR59uKw1B5dmU NmQ6leTGfKIOPO1rsjnSIpxm4lBCSwXThsTIZDVaxF1DeF9MzZUOnEgXDZw7EYSL 5xoF6oMZcRtZ7KXW8yCg52iPNMoJudi9BjP/d8gE5YB/9vsM6zeDv1CC3bjS317b 3v0WsYurElm5lQABSR7tuJ2qubDTAg== =79yQ -----END PGP SIGNATURE----- --PKz3ZsVTGQoxL8RmsJ1SZVgP3UGYDFUeT-- From owner-freebsd-ipfw@freebsd.org Tue Jan 9 23:00:16 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1304EE78730; Tue, 9 Jan 2018 23:00:16 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D374B75CF5; Tue, 9 Jan 2018 23:00:15 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w09N0BnV028969; Tue, 9 Jan 2018 15:00:11 -0800 (PST) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd-rwg@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w09N0AAo028968; Tue, 9 Jan 2018 15:00:10 -0800 (PST) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201801092300.w09N0AAo028968@pdx.rh.CN85.dnsmgr.net> Subject: Re: ipfw: manpage: semantics of "receive" and "xmit" interfaces In-Reply-To: <5e6811ff-70c6-ee74-bf04-1319e9002b29@yandex.ru> To: "Andrey V. Elsukov" Date: Tue, 9 Jan 2018 15:00:10 -0800 (PST) CC: "O. Hartmann" , freebsd-current , freebsd-ipfw@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jan 2018 23:00:16 -0000 > On 09.01.2018 12:28, O. Hartmann wrote: > > In section RULE OPTIONS, there is recv|xmit|via explained (a bit). There is > > also an example: > > > > ipfw add deny ip from any to any out recv ed0 xmit ed1 > > > > Can someone explain a bit more what the semantics of these is? I get especially > > confused by the subsequent blocks of text following the line I mentioned above. > > Since not everybody using FreeBSD is capable of studying the kernel sources, I > > have difficulties to put those statements in line with a visualization of the > > packet flow. A local host receiving a packets destined for the local host can > > not have xmit interface? If I imagine, that the recv interface might be the > > interface adjacent directly to the in/out port depicted in section PACKET FLOW > > it doesn't give me any idea why there is no xmit interface. > > When your system has two interfaces ed0 and ed1, and it acts as router, > a forwarded packet can be checked by firewall two times: > > 1. When a packet is received on ed0 interface, mbuf associated with this > packet gets a property "receiving interface". This packet is checked for > inbound direction and can be matched by "in" and "recv ed0" opcodes. in, recv and via options > If it was not dropped by rules, it will go through IP stack and can be > forwarded according to routing table via interface ed1. > > 2. When the routing decision was made (i.e. outbound interface is > determined) a packet checked by firewall again, now for outbound > direction. And it can be matched by "out" and "xmit ed1" opcodes. The in, recv and via options > opcode "recv ed0" still can be matched too, but "in" opcode will not > matched. > > A packet destined for local host is consumed by local IP stack and will > not forwarded. It is checked by firewall only one time (usually). Thus > it can not have xmit interface. And a packet generated localy would not have a recv interface. > -- > WBR, Andrey V. Elsukov > -- Rod Grimes rgrimes@freebsd.org From owner-freebsd-ipfw@freebsd.org Wed Jan 10 11:19:09 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37AEEE79C86 for ; Wed, 10 Jan 2018 11:19:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E9B96EAE0 for ; Wed, 10 Jan 2018 11:19:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 135251A680 for ; Wed, 10 Jan 2018 11:19:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0ABJ8Sx083716 for ; Wed, 10 Jan 2018 11:19:08 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0ABJ8NZ083715 for freebsd-ipfw@FreeBSD.org; Wed, 10 Jan 2018 11:19:08 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 224730] ipfw dyn_keepalive sends a strange packet Date: Wed, 10 Jan 2018 11:19:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ae@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jan 2018 11:19:09 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224730 Andrey V. Elsukov changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ae@FreeBSD.org --- Comment #2 from Andrey V. Elsukov --- This packet is generated by ipfw(4) to cause remote host to send the reply, that will extend lifetime of the STATE, created by keep-state rule. Since stateful ipfw doesn't track TCP window, it doesn't set this field in the TCP header. Also it doesn't set any TCP options. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Fri Jan 12 10:57:03 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B54E5EA5818; Fri, 12 Jan 2018 10:57:03 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33AE0833BB; Fri, 12 Jan 2018 10:57:02 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) Received: from freyja.zeit4.iv.bundesimmobilien.de ([87.138.105.249]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MDi9C-1edp9c37c6-00H7VO; Fri, 12 Jan 2018 11:56:54 +0100 Date: Fri, 12 Jan 2018 11:56:47 +0100 From: "O. Hartmann" To: "Andrey V. Elsukov" Cc: "O. Hartmann" , freebsd-current , freebsd-ipfw@freebsd.org Subject: Re: ipfw: manpage: semantics of "receive" and "xmit" interfaces Message-ID: <20180112115639.3b31073f@freyja.zeit4.iv.bundesimmobilien.de> In-Reply-To: <5e6811ff-70c6-ee74-bf04-1319e9002b29@yandex.ru> References: <20180109102813.63c32899@freyja.zeit4.iv.bundesimmobilien.de> <5e6811ff-70c6-ee74-bf04-1319e9002b29@yandex.ru> Organization: Walstatt MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:W8zl6w7tYnxY56sOD8F03wCMIVIARrj/haujKWZ1epwEaiV/SWI dN3aM9zgg/EFHmxyBBfSfu2HukF/zOueMHL0iyuX/9IaUoGKcXedqqojfQ9FzKVu8Pkevma YwUaV4+UDS+NdFFyx53fovZp0t2UFsP3dksykar2ZPM6pT4eE5FqfjodEI+oFT7CsYvALiK gGzj8Bb8cGPJZXh+Yj8Lg== X-UI-Out-Filterresults: notjunk:1;V01:K0:yONudj0npJU=:C3bMwQNqWvJRlDZmhCl+hy C2Gum8egytHHsRp1oHPUrMGT/TmqW8gHjoRbTaIgv/D7xjj9cnu3dWPHEhjTLbTO2Rvmkz8jx j3PzMQr3BXGlvormlDnWkrvK8ZppT+O3HSnjCUVnZDEhtYUeI4MF4UUGvnqK4MyvEAUyQJx10 eDZS5/jXWA8ZuBQ3f0lql7nNxkucFgTeByLB5Rcomz2M5YHWYGnUhXhwbBXxoxs/8BhOfoIrZ wpDFB4EAWyjm8poFmYHk/OrhebGtoQoa/6YQl9cKwZJeqo3CYaGmbFw+neKfXNPv8oXYrrbpq vp7Fg0tSldwpIy24q+Mx8d600i3aDPg4Unp7OZSI5r2ROd13oZuNvVVzl8lwjsbAtR5wfsicd 166PqIIsvSQ4moDXHgmrhfOiH61DX3Vsp0JxCTQlfMBRCMzqtZdiDM5cvgdy0+gKtIiuRrue8 4nQNYZeKsJr3njyoyrvu5wyx7+NRI8y2Hg6IcLke890puf9bH53HLwdJwe2+nKUYBOtUH/25f 48ozZWnVWlITGpnTI6PE/5780/K0KsWKJ1vge8Cdmclq2zcD40CfOZgLaOGdNE9K1kWWHQAne yPakTauVX0r5i1eO60G51Y/A4YzJqDeB6Uzya/w0cmxFOyELcjuefkfqlm8+JPqJ75hO3D41+ 3O3KfT/K74YTSTKdrySu8tzAFcf3nf9gP/Ysn3H+xtVeYPT1MzU2XqsYQ3sXERLAJgJJm7qMA DwBNZkOVu8ahUDTv8kSNqNFGSkjYu3U5GBxKP7gMS14rieT5p5+jJ2cBtwyPdnWm6rkw+MxXq TyxEv3N9qqc2Jh6g2wqmNmZls9mh/nIoWDagefw+9Y4nNbeGBY= X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 10:57:03 -0000 On Tue, 9 Jan 2018 21:23:54 +0300 "Andrey V. Elsukov" wrote: > On 09.01.2018 12:28, O. Hartmann wrote: > > In section RULE OPTIONS, there is recv|xmit|via explained (a bit). There is > > also an example: > > > > ipfw add deny ip from any to any out recv ed0 xmit ed1 > > > > Can someone explain a bit more what the semantics of these is? I get > > especially confused by the subsequent blocks of text following the line I > > mentioned above. Since not everybody using FreeBSD is capable of studying > > the kernel sources, I have difficulties to put those statements in line > > with a visualization of the packet flow. A local host receiving a packets > > destined for the local host can not have xmit interface? If I imagine, that > > the recv interface might be the interface adjacent directly to the in/out > > port depicted in section PACKET FLOW it doesn't give me any idea why there > > is no xmit interface. > > When your system has two interfaces ed0 and ed1, and it acts as router, > a forwarded packet can be checked by firewall two times: > > 1. When a packet is received on ed0 interface, mbuf associated with this > packet gets a property "receiving interface". This packet is checked for > inbound direction and can be matched by "in" and "recv ed0" opcodes. > If it was not dropped by rules, it will go through IP stack and can be > forwarded according to routing table via interface ed1. > > 2. When the routing decision was made (i.e. outbound interface is > determined) a packet checked by firewall again, now for outbound > direction. And it can be matched by "out" and "xmit ed1" opcodes. The > opcode "recv ed0" still can be matched too, but "in" opcode will not > matched. > > A packet destined for local host is consumed by local IP stack and will > not forwarded. It is checked by firewall only one time (usually). Thus > it can not have xmit interface. > Thanks very much for the explanation. From owner-freebsd-ipfw@freebsd.org Sat Jan 13 04:10:04 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95D5DE714BA for ; Sat, 13 Jan 2018 04:10:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BA7D72167 for ; Sat, 13 Jan 2018 04:10:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 70C9A1D220 for ; Sat, 13 Jan 2018 04:10:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0D4A4sF027141 for ; Sat, 13 Jan 2018 04:10:04 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0D4A42k027140 for freebsd-ipfw@FreeBSD.org; Sat, 13 Jan 2018 04:10:04 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 224730] ipfw dyn_keepalive sends a strange packet Date: Sat, 13 Jan 2018 04:10:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: hossy-fbsd@hossy.flnet.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2018 04:10:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224730 --- Comment #3 from hossy-fbsd@hossy.flnet.org --- All right, you say this packet is a expected behavior. BTW, `netstat -s' shows this packet as `completely duplicate packets'. If this packet is for keep-alive, I want `netstat -s' to count up `duplicate acks'. Because ACK only packet for normal keep-alive is counted as `duplicate acks= '. And I'm understanding `completely duplicate packets' is for analyzing for T= CP packet retransmitted. This is a implementation mismatch between ipfw and kern.tcp, isn't it? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sat Jan 13 05:17:29 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A789FE747FA for ; Sat, 13 Jan 2018 05:17:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8EA15747C7 for ; Sat, 13 Jan 2018 05:17:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 7D1151DCA3 for ; Sat, 13 Jan 2018 05:17:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0D5HTRR000612 for ; Sat, 13 Jan 2018 05:17:29 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0D5HTC8000605 for freebsd-ipfw@FreeBSD.org; Sat, 13 Jan 2018 05:17:29 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 224730] ipfw dyn_keepalive sends a strange packet Date: Sat, 13 Jan 2018 05:17:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ae@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2018 05:17:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224730 --- Comment #4 from Andrey V. Elsukov --- These packets are constructed by ipfw and transmitted directly bypassing TCP stack. From a quick look they don't accounted in the TCP statistics. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sat Jan 13 05:40:06 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D05DCE757F2 for ; Sat, 13 Jan 2018 05:40:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B67E5750C9 for ; Sat, 13 Jan 2018 05:40:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id AB09C1DF7A for ; Sat, 13 Jan 2018 05:40:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0D5e6nd051710 for ; Sat, 13 Jan 2018 05:40:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0D5e6lQ051709 for freebsd-ipfw@FreeBSD.org; Sat, 13 Jan 2018 05:40:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 224730] ipfw dyn_keepalive sends a strange packet Date: Sat, 13 Jan 2018 05:40:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: hossy-fbsd@hossy.flnet.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2018 05:40:06 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224730 --- Comment #5 from hossy-fbsd@hossy.flnet.org --- yes, but in case TCP connection between lo0 and lo0, TCP protocol stack is accounting in this packet. For example, between a jail environment and another jail environment. --=20 You are receiving this mail because: You are the assignee for the bug.=