IPFW tablearg questions

Andreas Nilsson andrnils at gmail.com
Thu May 30 11:46:41 UTC 2013 

On Thu, May 30, 2013 at 1:01 PM, Paul A. Procacci <pprocacci at datapipe.com>wrote:

> > The question:
> > Why can't you add a skipto to the default rule (65535)?
>
> http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html
>
> > I also consider using tablearg with divert, but manpage is contradicting
> > itself in regards to divert with tablearg:
> > "     divert port
> >              Divert packets that match this rule to the divert(4) socket
> > bound
> >              to port port.  The search terminates."
> > vs
> >
> > "The tablearg argument can be used with the following
> >      actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd,
> skipto,
> >      setfib, action parameters: tag, untag, rule options: limit, tagged."
> >
> > Also, in the EXAMPLES section one can find:
> >
> > "     In the following example per-interface firewall is created:
> >
> >            ipfw table 10 add vlan20 12000
> >            ipfw table 10 add vlan30 13000
> >            ipfw table 20 add vlan20 22000
> >            ipfw table 20 add vlan30 23000
> >            ..
> >            ipfw add 100 ipfw skipto tablearg ip from any to any recv
> >            'table(10)' in
> >            ipfw add 200 ipfw skipto tablearg ip from any to any xmit
> >            'table(10)' out
> > "
> > where ipfw add 100 ipfw skipto seems wrong...
>
> I'm not sure where the contradiction is.  Have you tried something like
> the following as an example?  I'm not sure the below works, but in my
> mind it does.  ;)
>
> #############################################
> ipfw table 10 add 129.168.0.0/24 1234
> ipfw table 10 add 10.5.21.0/24 5678
> ipfw add 100 divert tablearg ip from table(10) to any
> #############################################
>
> Perhaps knowing what it is you are trying to accomplish would lead
> to a more concrete answer.
>
> ~Paul
>
> ________________________________
>
> This message may contain confidential or privileged information. If you
> are not the intended recipient, please advise us immediately and delete
> this message. See http://www.datapipe.com/legal/email_disclaimer/ for
> further information on confidentiality and the risks of non-secure
> electronic communication. If you cannot access these links, please notify
> us by reply message and we will send the contents to you.
>

Whoops, reply to all is good...

The contradiction is that for most of the other directives in man-page,
when it is possible to use tablearg it is listed, like

fwd | forward ipaddr | tablearg[,port]
or
nat nat_nr | tablearg
but not so for divert which just reads:
divert port

The pipe and queue directives as well are missing the | tablearg and
corresponding description.

Yes, your example is how I also imagine it to work.

I'm pondering how something like:

ipfw skipto tablearg all from any to any in { recv table(10) }
ipfw add $rulenr divert tablearg tcp from table(11) to any
ipfw add $rulenr fwd tablearg all from table(12) to any divert-output

would work out.

Best regards

More information about the freebsd-net mailing list