IPFW missing feature

Julian Elischer julian at elischer.org
Wed Apr 22 17:18:03 UTC 2009 

Chris Cowart wrote:
> KES wrote:
>> ????????????, Lowell.
>>
>> ?? ?????? 16 ?????? 2009 ?., 15:22:31:
>>
>> LG> KES <kes-kes at yandex.ru> writes:
>>
>>>>      The tablearg feature provides the ability to use a value, looked up in
>>>>      the table, as the argument for a rule action, action parameter or rule
>>>>      option.  This can significantly reduce number of rules in some configura-
>>>>      tions.  If two tables are used in a rule, the result of the second (des-
>>>>      tination) is used.  The tablearg argument can be used with the following
>>>>      actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto
>>>>      action parameters: tag, untag, rule options: limit, tagged.
>>>>
>>>>
>>>> Why tablearg cannot be used with setfib?
>> LG> Because tables are a feature of IPFW, and the FIB isn't.
>>
>> setfib is also feature of ipfw. see man:
>>
>>      setfib fibnum
>>              The packet is tagged so as to use the FIB (routing table) fibnum
>>              in any subsequent forwarding decisions. Initially this is limited
>>              to the values  0 through 15. See setfib(8).  Processing continues
>>              at the next rule.
>>
>> There is no any difficulties to use 'tablearg' as 'fibnum'
>>
>> ipfw add 3 setfib 2 all from 192.168.0.0/16 to any in recv <IFACE>
>> ipfw add 3 setfib tablearg all from table(<X>) to any in recv <IFACE>
>>
>> but now this is not mistake to write 'setfib tablearg'. IPFW just
>> replace tablearg in rule with 0
>> It seems like a bug. because of it MUST work in proper way or DO NOT
>> work at all. IMHO
> 
> 
> I use tablearg with netgraph.
> 
> For example,
>      
> ipfw add netgraph tablearg all from 'table(9)' to any in
> 
> When I run ipfw show, I see:
> 
> 02380         408          60358 netgraph tablearg ip from any to table(9) in
>   
> KES, do you mean to say that when you run `ipfw show' the rule is echoed
> back to you as:
> 
> setfib 0 all from table(<X>) to any in recv <IFACE>
> 
> instead of tablearg?
> 
> If that's the case, it sounds like ipfw is parsing the rule incorrectly.
> If tablearg isn't supported by setfib, I would expect a syntax error to
> be thrown and not a different rule being inserted into your ruleset. If
> this is the behavior you're seeing, you should run it by the folks on 
> the -net mailing list. That would also be a good place to ask about 
> future plans to support this feature.
> 

Unfortunately 'tablearg' is not implemented in the code as a generic
thing, but rather needs to be implemented separately for each place
where it may be used. In this case I simply didn't think of it when
I added setfib.

It does make sense to allow it and I will consider adding this in the
future as it would be useful for policy routing.

More information about the freebsd-net mailing list