IPFW1->2 regression: "in/out/via any" ignored
Luigi Rizzo
rizzo at icir.org
Thu Mar 23 14:01:19 UTC 2006
On Thu, Mar 23, 2006 at 02:03:20PM +0200, Dmitry Pryanishnikov wrote:
>
> Hello!
>
> I've found a serious regression during the IPFW1->2 transition. I'm using
> "recv any" construction to match transit packets only. Manpage ipfw(8) clearly
> says:
>
> recv | xmit | via {ifX | if* | ipno | any}
> Matches packets received, transmitted or going through, respec-
> tively, the interface specified by exact name (ifX), by device
> name (if*), by IP address, or through some interface.
> ...........................................^^^^^^^^^^^^^^^^^^^^^^
>
> A packet may not have a receive or transmit interface: packets
> originating from the local host have no receive interface, while
> packets destined for the local host have no transmit interface.
The second part of this paragraph is surely incorrect - there is no transmit
interface for packets in the inbound path (i.e. while they are in ip_input())
whether or not they are destined locally. So 'xmit any' does not make
any sense.
For locally generated packets i admit 'recv any' may be of some use,
and this is unsupported. There are probably workaround such as 'src-ip me'
which may be of some help here although this particular instruction
can be expensive as it has to scan the list of local addresses.
cheers
luigi
More information about the freebsd-ipfw
mailing list