ipfw's "via" rule option/match pattern

andreas scherrer ascherrer at gmail.com
Tue Aug 18 22:41:39 UTC 2015 

Dear all

I am struggling to understand ifpw's "via" rule option. I am on FreeBSD 
10.1-release-p16

I have read ipfw(8) [1] many times by now but I still find it confusing:

"The via keyword causes the interface to always be checked. If recv or 
xmit is used instead of via, then only the receive or transmit interface 
(respectively) is checked."

What does "the interface is checked" mean in this context? And what is a 
common use case for the "via" rule option as opposed to recv/xmit? "in 
via" seems to be the same as "in recv" anyway (because "in xmit" is 
invalid) if I read "via" as "recv or xmit"...

I have also read (and I believe understood) [2], [3] and [4]. But it 
somehow contradicts what I see on my system. Or at least I think so.

Mainly they all state that something like

... out via ifX

matches packets that are *going through* a box (read: are forwarded) if 
they came in on interface ifX and are leaving the box via ifY.

That would be because the packet's receive interface is checked when it 
leaves the box and because it entered the box on ifX the rule matches 
(even if the packet leaves the box on ifY).

[4]: "Again, 'out via $wan_if' is ambiguous, and includes packets 
_received_ on $wan_if and now being transmitted to the inside"

When I run a quick test, sending one ICMP echo request from 
192.168.32.10 to 192.168.38.17 (two devices communicating via the box 
that has the "count" rules listed below configured), I get the following 
result:

-----
When 192.168.38.17 does not answer the ping:
00350     2     168 count icmp from 192.168.32.10 to 192.168.38.17 recv 
re0.32
00350     0       0 count icmp from 192.168.38.17 to 192.168.32.10 recv 
re0.38
00351     1      84 count icmp from 192.168.32.10 to 192.168.38.17 in 
recv re0.32
00351     0       0 count icmp from 192.168.38.17 to 192.168.32.10 in 
recv re0.38
00352     1      84 count icmp from 192.168.32.10 to 192.168.38.17 out 
recv re0.32
00352     0       0 count icmp from 192.168.38.17 to 192.168.32.10 out 
recv re0.38
00355     1      84 count icmp from 192.168.32.10 to 192.168.38.17 via 
re0.32
00355     0       0 count icmp from 192.168.38.17 to 192.168.32.10 via 
re0.38
00356     1      84 count icmp from 192.168.32.10 to 192.168.38.17 in 
via re0.32
00356     0       0 count icmp from 192.168.38.17 to 192.168.32.10 in 
via re0.38
00357     0       0 count icmp from 192.168.32.10 to 192.168.38.17 out 
via re0.32
00357     0       0 count icmp from 192.168.38.17 to 192.168.32.10 out 
via re0.38
00358     1      84 count icmp from 192.168.32.10 to 192.168.38.17 out 
recv re0.32 xmit re0.38
00358     0       0 count icmp from 192.168.38.17 to 192.168.32.10 out 
recv re0.38 xmit re0.32

When 192.168.38.17 does answer the ping:
00350     2     168 count icmp from 192.168.32.10 to 192.168.38.17 recv 
re0.32
00350     2     168 count icmp from 192.168.38.17 to 192.168.32.10 recv 
re0.38
00351     1      84 count icmp from 192.168.32.10 to 192.168.38.17 in 
recv re0.32
00351     1      84 count icmp from 192.168.38.17 to 192.168.32.10 in 
recv re0.38
00352     1      84 count icmp from 192.168.32.10 to 192.168.38.17 out 
recv re0.32
00352     1      84 count icmp from 192.168.38.17 to 192.168.32.10 out 
recv re0.38
00355     1      84 count icmp from 192.168.32.10 to 192.168.38.17 via 
re0.32
00355     1      84 count icmp from 192.168.38.17 to 192.168.32.10 via 
re0.38
00356     1      84 count icmp from 192.168.32.10 to 192.168.38.17 in 
via re0.32
00356     1      84 count icmp from 192.168.38.17 to 192.168.32.10 in 
via re0.38
00357     0       0 count icmp from 192.168.32.10 to 192.168.38.17 out 
via re0.32
00357     0       0 count icmp from 192.168.38.17 to 192.168.32.10 out 
via re0.38
00358     1      84 count icmp from 192.168.32.10 to 192.168.38.17 out 
recv re0.32 xmit re0.38
00358     1      84 count icmp from 192.168.38.17 to 192.168.32.10 out 
recv re0.38 xmit re0.32
-----

According to the statement in [4] I would expect rule 357 to match...

Can anyone shed some light on that topic for me? I have a feeling that 
my understanding that "via" is "recv or xmit" is not correct.


Thanks in advance
andreas

[1] https://www.freebsd.org/cgi/man.cgi?query=ipfw(8)
[2] 
https://lists.freebsd.org/pipermail/freebsd-questions/2005-July/094739.html
[3] 
https://groups.google.com/forum/#!topic/comp.unix.bsd.freebsd.misc/AkDSKlUmVok
[4] 
https://lists.freebsd.org/pipermail/freebsd-questions/2011-June/231271.html

More information about the freebsd-questions mailing list