Date: Thu, 23 Mar 2006 06:00:06 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> Cc: FreeBSD-ipfw@freebsd.org Subject: Re: IPFW1->2 regression: "in/out/via any" ignored Message-ID: <20060323060006.A66681@xorpc.icir.org> In-Reply-To: <20060323133729.D63213@atlantis.atlantis.dp.ua>; from dmitry@atlantis.dp.ua on Thu, Mar 23, 2006 at 02:03:20PM %2B0200 References: <20060323133729.D63213@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 23, 2006 at 02:03:20PM +0200, Dmitry Pryanishnikov wrote:
>
> Hello!
>
> I've found a serious regression during the IPFW1->2 transition. I'm using
> "recv any" construction to match transit packets only. Manpage ipfw(8) clearly
> says:
>
> recv | xmit | via {ifX | if* | ipno | any}
> Matches packets received, transmitted or going through, respec-
> tively, the interface specified by exact name (ifX), by device
> name (if*), by IP address, or through some interface.
> ...........................................^^^^^^^^^^^^^^^^^^^^^^
>
> A packet may not have a receive or transmit interface: packets
> originating from the local host have no receive interface, while
> packets destined for the local host have no transmit interface.
The second part of this paragraph is surely incorrect - there is no transmit
interface for packets in the inbound path (i.e. while they are in ip_input())
whether or not they are destined locally. So 'xmit any' does not make
any sense.
For locally generated packets i admit 'recv any' may be of some use,
and this is unsupported. There are probably workaround such as 'src-ip me'
which may be of some help here although this particular instruction
can be expensive as it has to scan the list of local addresses.
cheers
luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060323060006.A66681>