Date: Thu, 6 Mar 2014 15:00:10 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Andreas Nilsson <andrnils@gmail.com> Cc: FreeBSD Net <freebsd-net@freebsd.org>, "Andrey V. Elsukov" <bu7cher@yandex.ru> Subject: Re: ipfw / routing issue on 9.2-RELEASE Message-ID: <20140306145231.Q75313@sola.nimnet.asn.au> In-Reply-To: <CAPS9%2BStX7Dbrh5dYJN2K_4pimc91L86YWmfWeaZ%2BgLaEDhWe5A@mail.gmail.com> References: <CAPS9%2BSsbPsQLqu9mwz7nhcn%2BjMkkj57JUeHOO3U5xm9eXLYb8g@mail.gmail.com> <531771C8.1040207@yandex.ru> <CAPS9%2BStX7Dbrh5dYJN2K_4pimc91L86YWmfWeaZ%2BgLaEDhWe5A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 5 Mar 2014 20:44:51 +0100, Andreas Nilsson wrote:
> On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote:
>
> > On 04.03.2014 09:58, Andreas Nilsson wrote:
> > > Why do I need the explict fwd rule? As far as I can see the ipfw man page
> > > says nothing about skipto changing the packets, and since the 65533 rule
> > in
> > > the second ruleset triggers on the same thing as the skipto rule it would
> > > seem like packets are "intact". Why does the kernel not forward those
> > > packets?
> >
> > What is the last rule? I suspect it is "deny all"?
> >
>
> No, last rule is allow any from any set via loader tunable
> net.inet.ip.fw.default_to_accept=1
>
> For clarity :
>
> 00001 0 0 skipto 65534 log all from table(1) to any in recv
> table(8)
>
> 00002 6331546 601809038 skipto 13 ip from any to any in recv table(8)
>
> 00003 821402 247261846 allow ip from table(2) to any
>
> 00004 0 0 allow ip from table(3) to me dst-port 2121
>
> 00005 0 0 allow ip from table(4) to me dst-port 161
>
> 00006 0 0 allow ip from me to table(4) dst-port 162
>
> 00007 0 0 allow ip from me to table(5) dst-port 514
>
> 00008 20865 7823308 allow ip from table(6) to any dst-port 179
>
> 00009 6331564 753767359 allow { gre or ipencap } from table(6) to any
>
> 00010 3270 294972 allow icmp from table(7) to any
>
> 00011 4 617 allow icmp from any to me icmptypes 3
>
> 00012 5075 323759 deny ip from any to me
>
> 00013 1656214 123067475 divert tablearg tcp from any to any in recv
> table(8)
>
> 65534 0 0 fwd tablearg ip from table(12) to any
>
> 65535 11389470 1158795869 allow ip from any to any
>
> With the above ruleset a packet
> 1) triggering the first rule ( ie skipto no-op and the allow from any to
> any ) is lost.
The count on rule 1 is zero, so no packets matched it, not were 'lost'?
> 2) triggering the second rule (ie skipto divert rule which returns it to
> the stack ) is forwarded.
>
> Best regards
> Andreas
>
> >
> > --
> > WBR, Andrey V. Elsukov
If at some other times rule 1 IS matched, I suggest some renumbering so
you can put 'count log' rules both before and after the 'fwd tablearg'
rule; then if they 'disappear' you can see exactly where.
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140306145231.Q75313>