ipfw / routing issue on 9.2-RELEASE
Andreas Nilsson
andrnils at gmail.com
Wed Mar 5 19:44:52 UTC 2014
On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
> On 04.03.2014 09:58, Andreas Nilsson wrote:
> > Why do I need the explict fwd rule? As far as I can see the ipfw man page
> > says nothing about skipto changing the packets, and since the 65533 rule
> in
> > the second ruleset triggers on the same thing as the skipto rule it would
> > seem like packets are "intact". Why does the kernel not forward those
> > packets?
>
> What is the last rule? I suspect it is "deny all"?
>
No, last rule is allow any from any set via loader tunable
net.inet.ip.fw.default_to_accept=1
For clarity :
00001 0 0 skipto 65534 log all from table(1) to any in recv
table(8)
00002 6331546 601809038 skipto 13 ip from any to any in recv table(8)
00003 821402 247261846 allow ip from table(2) to any
00004 0 0 allow ip from table(3) to me dst-port 2121
00005 0 0 allow ip from table(4) to me dst-port 161
00006 0 0 allow ip from me to table(4) dst-port 162
00007 0 0 allow ip from me to table(5) dst-port 514
00008 20865 7823308 allow ip from table(6) to any dst-port 179
00009 6331564 753767359 allow { gre or ipencap } from table(6) to any
00010 3270 294972 allow icmp from table(7) to any
00011 4 617 allow icmp from any to me icmptypes 3
00012 5075 323759 deny ip from any to me
00013 1656214 123067475 divert tablearg tcp from any to any in recv
table(8)
65534 0 0 fwd tablearg ip from table(12) to any
65535 11389470 1158795869 allow ip from any to any
With the above ruleset a packet
1) triggering the first rule ( ie skipto no-op and the allow from any to
any ) is lost.
2) triggering the second rule (ie skipto divert rule which returns it to
the stack ) is forwarded.
Best regards
Andreas
>
> --
> WBR, Andrey V. Elsukov
>
More information about the freebsd-net
mailing list