Multiple Routing Tables (FIB) + IPFW problem as (I?) expected
Julian Elischer
julian at elischer.org
Fri Jan 16 11:37:53 PST 2009
Eduardo Meyer wrote:
> Hello,
>
> I am trying the new FIB stuff on -STABLE with IPFW, I made many tests
> and it did not work as I expected.
>
> Quick testing:
>
> # lynx -dump http://www.whatismyip.org
> 200.165.75.10
>
> # setfib -1 lynx -dump http://www.whatismyip.org
> 189.52.141.2
>
> # setfib -2 lynx -dump http://www.whatismyip.org
> 201.91.92.154
>
so you have 3 tables with different default routes?
> # ipfw -q flush
> # ipfw add 1 setfib 1 all from any to any
> 00001 setfib 1 ip from any to any
>
> # lynx -dump http://www.whatismyip.org
> 200.165.75.10
>
> Check for counters:
>
> # ipfw -q add 2 allow all from any to any fib 1
> # ipfw show
obviously you did some other commands here..
something generated 2 million packets..
> 00001 388599 139653215 setfib 1 ip from any to any
> 00002 4253 2221474 allow ip from any to any fib 1
> 65535 2419650 983279227 allow ip from any to any
>
> # lynx -dump http://www.whatismyip.org
> 200.165.75.10
>
> # setfib -1 lynx -dump http://www.whatismyip.org
> 189.52.141.2
>
> Is anything wrong with my concepts? I would like to know if -CURRENT
> has the same behavior, can someone please test?
this is expected.. setfib in the firewall can only change the fib on
an outgoing packet AFTER it has already done its routing decision.
setfib in ipfw is basically for packets that you are ROUTING,
(i.e. you are a gateway) and
is expected to be run in INCOMING packets before they make their
routing decision..
I was thinking of adding a 'reroute' ipfw keyword.. kind of like
'fwd {original dest} ip from any to any'
because 'fwd' does cause the routing decision to be redone.
The fib of the process that opens the socket controls where packets
from the local machine are sent.
More information about the freebsd-net
mailing list