Date: Fri, 17 Apr 2009 10:28:51 -0700 From: Chris Cowart <ccowart@rescomp.berkeley.edu> To: KES <kes-kes@yandex.ru> Cc: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>, freebsd-questions@freebsd.org Subject: Re: IPFW missing feature Message-ID: <20090417172851.GC40655@hal.rescomp.berkeley.edu> In-Reply-To: <598016517.20090416214131@yandex.ru> References: <1873052356.20090416001047@yandex.ru> <44eivsbxfc.fsf@lowell-desk.lan> <598016517.20090416214131@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--/Uq4LBwYP4y1W6pO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable KES wrote: > ????????????, Lowell. >=20 > ?? ?????? 16 ?????? 2009 ?., 15:22:31: >=20 > LG> KES <kes-kes@yandex.ru> writes: >=20 >>> The tablearg feature provides the ability to use a value, looked u= p in >>> the table, as the argument for a rule action, action parameter or = rule >>> option. This can significantly reduce number of rules in some con= figura- >>> tions. If two tables are used in a rule, the result of the second= (des- >>> tination) is used. The tablearg argument can be used with the fol= lowing >>> actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skip= to >>> action parameters: tag, untag, rule options: limit, tagged. >>> >>> >>> Why tablearg cannot be used with setfib? >=20 > LG> Because tables are a feature of IPFW, and the FIB isn't. >=20 > setfib is also feature of ipfw. see man: >=20 > setfib fibnum > The packet is tagged so as to use the FIB (routing table) fi= bnum > in any subsequent forwarding decisions. Initially this is li= mited > to the values 0 through 15. See setfib(8). Processing cont= inues > at the next rule. >=20 > There is no any difficulties to use 'tablearg' as 'fibnum' >=20 > ipfw add 3 setfib 2 all from 192.168.0.0/16 to any in recv <IFACE> > ipfw add 3 setfib tablearg all from table(<X>) to any in recv <IFACE> >=20 > but now this is not mistake to write 'setfib tablearg'. IPFW just > replace tablearg in rule with 0 > It seems like a bug. because of it MUST work in proper way or DO NOT > work at all. IMHO I use tablearg with netgraph. For example, =20 ipfw add netgraph tablearg all from 'table(9)' to any in When I run ipfw show, I see: 02380 408 60358 netgraph tablearg ip from any to table(9) = in =20 KES, do you mean to say that when you run `ipfw show' the rule is echoed back to you as: setfib 0 all from table(<X>) to any in recv <IFACE> instead of tablearg? If that's the case, it sounds like ipfw is parsing the rule incorrectly. If tablearg isn't supported by setfib, I would expect a syntax error to be thrown and not a different rule being inserted into your ruleset. If this is the behavior you're seeing, you should run it by the folks on=20 the -net mailing list. That would also be a good place to ask about=20 future plans to support this feature. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --/Uq4LBwYP4y1W6pO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iQIcBAEBAwAGBQJJ6LxSAAoJEIGh6j3cHUNPz3MP/iwU8zo+bMFRv1+781qElPtb vGQiIqNHhUKm32aAumDs1/R3SfcIN3T+zMYAoD26hNBLjELzf8ErnEypZgKya9or vGTK3sH+2udrd3o4Gq83NjlR/sB4YaqGJTR6Vvyy93N81a391SLFbl387DUVR9Na yo0uaGAikUEpegZD98z1Oe1QO2rPGo4LsAercPxrFZxm57nOwemzkh+KU2GhVJkI DJW7OdCbV3pr6pTU/2JKnESuKdhkLdeB7323muTGaypZSOz4ReVtipTplAut8HB8 NUJx7M2URRqOQdt2QGJI5z6uZdy+bVPrFSqxYteBhqtWbwFZGfZwY8WVYDopxuTz xs31RrlV28kcPDq1J8Uev4lmf5oIj1qcvEV63Bu1sfSfWKvj0Rw2I7rjWqFdkBZI ZEa8NxG8bcSNCeEqyZB5ZPYGgM2VUWAeLJ3kePQfkCSJw/m+y8npxjRkUFqPtqmu ZPITuxmMVWqkCpq18eulspE/YtzYdBZ6bKm5vfsn2ExRo/wM15CEQOBR2oLwK8ZI f9ud/+a5CcqhrenGcrnVeS6x8ku5kpy2pjrrlLYwcwrlOpF1Qw7oFNrKYGZZQryj cKOUXpvHqbCwfCykGkmVWU0pRteF5Um/uVOG+rxndmQftSNfQ+p3R/3FqXgVIuYf jZqFt92ZW/ZSB4eH1sk+ =x5CF -----END PGP SIGNATURE----- --/Uq4LBwYP4y1W6pO--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090417172851.GC40655>