IPFW tablearg questions

Thu May 30 11:02:33 UTC 2013

> The question:
> Why can't you add a skipto to the default rule (65535)?

http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html

> I also consider using tablearg with divert, but manpage is contradicting
> itself in regards to divert with tablearg:
> "     divert port
>              Divert packets that match this rule to the divert(4) socket
> bound
>              to port port.  The search terminates."
> vs
>
> "The tablearg argument can be used with the following
>      actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto,
>      setfib, action parameters: tag, untag, rule options: limit, tagged."
>
> Also, in the EXAMPLES section one can find:
>
> "     In the following example per-interface firewall is created:
>
>            ipfw table 10 add vlan20 12000
>            ipfw table 10 add vlan30 13000
>            ipfw table 20 add vlan20 22000
>            ipfw table 20 add vlan30 23000
>            ..
>            ipfw add 100 ipfw skipto tablearg ip from any to any recv
>            'table(10)' in
>            ipfw add 200 ipfw skipto tablearg ip from any to any xmit
>            'table(10)' out
> "
> where ipfw add 100 ipfw skipto seems wrong...

I'm not sure where the contradiction is.  Have you tried something like
the following as an example?  I'm not sure the below works, but in my
mind it does.  ;)

#############################################
ipfw table 10 add 129.168.0.0/24 1234
ipfw table 10 add 10.5.21.0/24 5678
ipfw add 100 divert tablearg ip from table(10) to any
#############################################

Perhaps knowing what it is you are trying to accomplish would lead
to a more concrete answer.

~Paul

________________________________

This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.