Does "setfib" in ipfw forces to re-route packet?
Lev Serebryakov
lev at FreeBSD.org
Mon Feb 2 23:14:01 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 03.02.2015 01:54, John Nielsen wrote:
> AFAIK, ipfw's setfib can only be usefully applied to incoming
> packets (before a routing decision is made) that are passing
> through (and not destined for) the FreeBSD machine as a router.
Nope!
> For locally-originated traffic you need to either start your
> application(s) using setfib(1) to begin with or use ipfw fwd rules
> to redirect the traffic (which essentially ignores the original
> routing decision). Be warned that FreeBSD 10.0 had a bug which
> broke ipfw fwd (see the errata).
Problem is, sometimes you want to change routing decision in out way
even on router machine. For example, after "nat global", it you don't
want to use "fwd" actions (because it has static IP to use encoded to
rule, which doesn't look good!).
And looks like, it is possible.
Please, look at sys/netinet/ip_output.c, lines 493-535.
It checks, did packet filter change (a) destination address or (b)
FIB, and if it does, it re-run routing decision.
So, it will work "as expected" and only documentation need fix :)
- --
// Lev Serebryakov AKA Black Lion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQJ8BAEBCgBmBQJU0ASiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePTH8QAN2I1IynNr/yx2WzLXmIcr3Z
5dNVHqZ3kv6Bavh4hYtodyka03I7W6Cjt5SYQIapLxVeJJUK7bgHcxLzCO4Oq5zM
zoZ5NAKH618B43UiVTf2o8MjiPDkUnDwRThDBw9ZkRADrw/8w3y1BgRXV1n47F/n
IthJbRnHSMhAVQQQwGggcb+8BLUJacFzkmLvvzRJfSP4P2sHlOC45yYJWBuE784/
EovXt70tqVE0z1u06EU9n+JRjVNDTnrjzZeh1wMvcoQGjGS3iD0oSsn6y+wNPSrC
6MPTpVzWtTAzaC/Rh7l2XHJYPIdm5vmsiYzBtPR+jp1mYOWRcpA/HuVNazN1+oWI
6RWrjkcg+Ep53lUGuh91UqbbN677WkjxFcK/ru70jBQuoLT9fV2HMSiOnUZ8bDsx
SQsqH+DNNHSbjp/YTwvR21/Q31MUURpG172GKWsu0OYf9vnOhTSnzAqI066R2BGa
PCn5vsBcJYjPnTNxQeLZxMmBGQ8p6fwyjtJW05Dlgv5uYuoNct9BFAJzj5D1FFzg
sT544DQWlrVceK+5E9z9INP5WMNdsZ+bn09uXDugxWNzqUW656G+0Pz2xUnHZF9M
uoQCpF+UQIPdFXddSH/mxr/KK4M7E3RRKoCcd70Vahc4mD9gOvv/KN9oXmJiFWnn
8mCyp+bwjlf22b+6noVc
=1Ynq
-----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list