Re: IPFW tablearg questions
On Thu, May 30, 2013 at 1:01 PM, Paul A. Procacci wrote:
> > The question:
> > Why can't you add a skipto to the default rule (65535)?
>
> http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html
>
> > I also consider using tablearg with divert, but manpage is contradicting
> > itself in regards to divert with tablearg:
> > " divert port
> > Divert packets that match this rule to the divert(4) socket
> > bound
> > to port port. The search terminates."
> > vs
> >
> > "The tablearg argument can be used with the following
> > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd,
> skipto,
> > setfib, action parameters: tag, untag, rule options: limit, tagged."
> >
> > Also, in the EXAMPLES section one can find:
> >
> > " In the following example per-interface firewall is created:
> >
> >ipfw table 10 add vlan20 12000
> >ipfw table 10 add vlan30 13000
> >ipfw table 20 add vlan20 22000
> >ipfw table 20 add vlan30 23000
> >..
> >ipfw add 100 ipfw skipto tablearg ip from any to any recv
> >'table(10)' in
> >ipfw add 200 ipfw skipto tablearg ip from any to any xmit
> >'table(10)' out
> > "
> > where ipfw add 100 ipfw skipto seems wrong...
>
> I'm not sure where the contradiction is. Have you tried something like
> the following as an example? I'm not sure the below works, but in my
> mind it does. ;)
>
> #
> ipfw table 10 add 129.168.0.0/24 1234
> ipfw table 10 add 10.5.21.0/24 5678
> ipfw add 100 divert tablearg ip from table(10) to any
> #
>
> Perhaps knowing what it is you are trying to accomplish would lead
> to a more concrete answer.
>
> ~Paul
>
>
>
> This message may contain confidential or privileged information. If you
> are not the intended recipient, please advise us immediately and delete
> this message. See http://www.datapipe.com/legal/email_disclaimer/ for
> further information on confidentiality and the risks of non-secure
> electronic communication. If you cannot access these links, please notify
> us by reply message and we will send the contents to you.
>
Whoops, reply to all is good...
The contradiction is that for most of the other directives in man-page,
when it is possible to use tablearg it is listed, like
fwd | forward ipaddr | tablearg[,port]
or
nat nat_nr | tablearg
but not so for divert which just reads:
divert port
The pipe and queue directives as well are missing the | tablearg and
corresponding description.
Yes, your example is how I also imagine it to work.
I'm pondering how something like:
ipfw skipto tablearg all from any to any in { recv table(10) }
ipfw add $rulenr divert tablearg tcp from table(11) to any
ipfw add $rulenr fwd tablearg all from table(12) to any divert-output
would work out.
Best regards
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: IPFW tablearg questions
> The question: > Why can't you add a skipto to the default rule (65535)? http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html > I also consider using tablearg with divert, but manpage is contradicting > itself in regards to divert with tablearg: > " divert port > Divert packets that match this rule to the divert(4) socket > bound > to port port. The search terminates." > vs > > "The tablearg argument can be used with the following > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, > setfib, action parameters: tag, untag, rule options: limit, tagged." > > Also, in the EXAMPLES section one can find: > > " In the following example per-interface firewall is created: > >ipfw table 10 add vlan20 12000 >ipfw table 10 add vlan30 13000 >ipfw table 20 add vlan20 22000 >ipfw table 20 add vlan30 23000 >.. >ipfw add 100 ipfw skipto tablearg ip from any to any recv >'table(10)' in >ipfw add 200 ipfw skipto tablearg ip from any to any xmit >'table(10)' out > " > where ipfw add 100 ipfw skipto seems wrong... I'm not sure where the contradiction is. Have you tried something like the following as an example? I'm not sure the below works, but in my mind it does. ;) # ipfw table 10 add 129.168.0.0/24 1234 ipfw table 10 add 10.5.21.0/24 5678 ipfw add 100 divert tablearg ip from table(10) to any # Perhaps knowing what it is you are trying to accomplish would lead to a more concrete answer. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
IPFW tablearg questions
Hello, I started to test some more features of IPFW, namely skipto and fwd, both in conjunction with tablearg. The question: Why can't you add a skipto to the default rule (65535)? I also consider using tablearg with divert, but manpage is contradicting itself in regards to divert with tablearg: " divert port Divert packets that match this rule to the divert(4) socket bound to port port. The search terminates." vs "The tablearg argument can be used with the following actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, action parameters: tag, untag, rule options: limit, tagged." Also, in the EXAMPLES section one can find: " In the following example per-interface firewall is created: ipfw table 10 add vlan20 12000 ipfw table 10 add vlan30 13000 ipfw table 20 add vlan20 22000 ipfw table 20 add vlan30 23000 .. ipfw add 100 ipfw skipto tablearg ip from any to any recv 'table(10)' in ipfw add 200 ipfw skipto tablearg ip from any to any xmit 'table(10)' out " where ipfw add 100 ipfw skipto seems wrong... Best regards Andreas Nilsson ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
