From owner-freebsd-net@FreeBSD.ORG Wed Apr 22 17:18:03 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33B5F1065673 for ; Wed, 22 Apr 2009 17:18:03 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outW.internet-mail-service.net (outw.internet-mail-service.net [216.240.47.246]) by mx1.freebsd.org (Postfix) with ESMTP id 198E58FC16 for ; Wed, 22 Apr 2009 17:18:02 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 1A770DC015; Wed, 22 Apr 2009 10:18:03 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 77BB62D6032; Wed, 22 Apr 2009 10:18:02 -0700 (PDT) Message-ID: <49EF514A.5080103@elischer.org> Date: Wed, 22 Apr 2009 10:18:02 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Chris Cowart References: <1812419482.20090422200106@yandex.ru> In-Reply-To: <1812419482.20090422200106@yandex.ru> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: IPFW missing feature X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Apr 2009 17:18:03 -0000 Chris Cowart wrote: > KES wrote: >> ????????????, Lowell. >> >> ?? ?????? 16 ?????? 2009 ?., 15:22:31: >> >> LG> KES writes: >> >>>> The tablearg feature provides the ability to use a value, looked up in >>>> the table, as the argument for a rule action, action parameter or rule >>>> option. This can significantly reduce number of rules in some configura- >>>> tions. If two tables are used in a rule, the result of the second (des- >>>> tination) is used. The tablearg argument can be used with the following >>>> actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto >>>> action parameters: tag, untag, rule options: limit, tagged. >>>> >>>> >>>> Why tablearg cannot be used with setfib? >> LG> Because tables are a feature of IPFW, and the FIB isn't. >> >> setfib is also feature of ipfw. see man: >> >> setfib fibnum >> The packet is tagged so as to use the FIB (routing table) fibnum >> in any subsequent forwarding decisions. Initially this is limited >> to the values 0 through 15. See setfib(8). Processing continues >> at the next rule. >> >> There is no any difficulties to use 'tablearg' as 'fibnum' >> >> ipfw add 3 setfib 2 all from 192.168.0.0/16 to any in recv >> ipfw add 3 setfib tablearg all from table() to any in recv >> >> but now this is not mistake to write 'setfib tablearg'. IPFW just >> replace tablearg in rule with 0 >> It seems like a bug. because of it MUST work in proper way or DO NOT >> work at all. IMHO > > > I use tablearg with netgraph. > > For example, > > ipfw add netgraph tablearg all from 'table(9)' to any in > > When I run ipfw show, I see: > > 02380 408 60358 netgraph tablearg ip from any to table(9) in > > KES, do you mean to say that when you run `ipfw show' the rule is echoed > back to you as: > > setfib 0 all from table() to any in recv > > instead of tablearg? > > If that's the case, it sounds like ipfw is parsing the rule incorrectly. > If tablearg isn't supported by setfib, I would expect a syntax error to > be thrown and not a different rule being inserted into your ruleset. If > this is the behavior you're seeing, you should run it by the folks on > the -net mailing list. That would also be a good place to ask about > future plans to support this feature. > Unfortunately 'tablearg' is not implemented in the code as a generic thing, but rather needs to be implemented separately for each place where it may be used. In this case I simply didn't think of it when I added setfib. It does make sense to allow it and I will consider adding this in the future as it would be useful for policy routing.