Date: Tue, 4 Mar 2014 06:58:14 +0100 From: Andreas Nilsson <andrnils@gmail.com> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: ipfw / routing issue on 9.2-RELEASE Message-ID: <CAPS9%2BSsbPsQLqu9mwz7nhcn%2BjMkkj57JUeHOO3U5xm9eXLYb8g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I'm having a strange problem with ipfw and/or routing. I've only tested this on 9.2-RELEASE-p3, amd64. The machine is sort of acting as router. The ruleset is like (ipfw defaults to accept): $cmd="ipfw -fq " $cmd add 1 skipto 65534 log all from "table(1)" to any in recv "table(8)" ... $cmd add 65534 fwd tablearg all from "table(12)" to any Table 1 contains prefixes that should skip the normal rules and just pass through the box. Table 8 contains interface names. Table 12 is empty (so far). What happens is that packets that trigger the first rule never get to their destination. After looking at /var/log/security is see that packets trigger the rule, "never to be seen again". There is a route (ie not default) for the destination, but a tcpdump on the corresponding interface shows nothing. On changing the ruleset to $cmd="ipfw -fq " $cmd add 1 skipto 65533 log all from "table(1)" to any in recv "table(8)" ... $cmd add 65533 fwd x.y.z.w ip from "table(1)" to any in recv "table(8)" $cmd add 65534 fwd tablearg all from "table(12)" to any packets get to where they should. Why do I need the explict fwd rule? As far as I can see the ipfw man page says nothing about skipto changing the packets, and since the 65533 rule in the second ruleset triggers on the same thing as the skipto rule it would seem like packets are "intact". Why does the kernel not forward those packets? Best regards Andreas Nilsson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPS9%2BSsbPsQLqu9mwz7nhcn%2BjMkkj57JUeHOO3U5xm9eXLYb8g>