Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Mar 2014 20:44:51 +0100
From:      Andreas Nilsson <andrnils@gmail.com>
To:        "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc:        FreeBSD Net <freebsd-net@freebsd.org>
Subject:   Re: ipfw / routing issue on 9.2-RELEASE
Message-ID:  <CAPS9%2BStX7Dbrh5dYJN2K_4pimc91L86YWmfWeaZ%2BgLaEDhWe5A@mail.gmail.com>
In-Reply-To: <531771C8.1040207@yandex.ru>
References:  <CAPS9%2BSsbPsQLqu9mwz7nhcn%2BjMkkj57JUeHOO3U5xm9eXLYb8g@mail.gmail.com> <531771C8.1040207@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote:

> On 04.03.2014 09:58, Andreas Nilsson wrote:
> > Why do I need the explict fwd rule? As far as I can see the ipfw man page
> > says nothing about skipto changing the packets, and since the 65533 rule
> in
> > the second ruleset triggers on the same thing as the skipto rule it would
> > seem like packets are "intact". Why does the kernel not forward those
> > packets?
>
> What is the last rule? I suspect it is "deny all"?
>

No, last rule is allow any from any set via loader tunable
net.inet.ip.fw.default_to_accept=1

For clarity :

00001        0          0 skipto 65534 log all from table(1) to any in recv
table(8)

00002  6331546  601809038 skipto 13 ip from any to any in recv table(8)

00003   821402  247261846 allow ip from table(2) to any

00004        0          0 allow ip from table(3) to me dst-port 2121

00005        0          0 allow ip from table(4) to me dst-port 161

00006        0          0 allow ip from me to table(4) dst-port 162

00007        0          0 allow ip from me to table(5) dst-port 514

00008    20865    7823308 allow ip from table(6) to any dst-port 179

00009  6331564  753767359 allow { gre or ipencap } from table(6) to any

00010     3270     294972 allow icmp from table(7) to any

00011        4        617 allow icmp from any to me icmptypes 3

00012     5075     323759 deny ip from any to me

00013    1656214  123067475 divert tablearg tcp from any to any in recv
table(8)

65534        0          0 fwd tablearg ip from table(12) to any

65535 11389470 1158795869 allow ip from any to any

With the above ruleset a packet
1) triggering the first rule ( ie skipto no-op and the allow from any to
any ) is lost.
2) triggering the second rule (ie skipto divert rule which returns it to
the stack ) is forwarded.

Best regards
Andreas

>
> --
> WBR, Andrey V. Elsukov
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPS9%2BStX7Dbrh5dYJN2K_4pimc91L86YWmfWeaZ%2BgLaEDhWe5A>