Eduardo Meyer wrote:
Hello,
I am trying the new FIB stuff on -STABLE with IPFW, I made many tests
and it did not work as I expected.
Quick testing:
# lynx -dump http://www.whatismyip.org
200.165.75.10
# setfib -1 lynx -dump http://www.whatismyip.org
189.52.141.2
# setfib -2 lynx -dump http://www.whatismyip.org
201.91.92.154
so you have 3 tables with different default routes?
# ipfw -q flush
# ipfw add 1 setfib 1 all from any to any
00001 setfib 1 ip from any to any
# lynx -dump http://www.whatismyip.org
200.165.75.10
Check for counters:
# ipfw -q add 2 allow all from any to any fib 1
# ipfw show
obviously you did some other commands here..
something generated 2 million packets..
00001 388599 139653215 setfib 1 ip from any to any
00002 4253 2221474 allow ip from any to any fib 1
65535 2419650 983279227 allow ip from any to any
# lynx -dump http://www.whatismyip.org
200.165.75.10
# setfib -1 lynx -dump http://www.whatismyip.org
189.52.141.2
Is anything wrong with my concepts? I would like to know if -CURRENT
has the same behavior, can someone please test?
this is expected.. setfib in the firewall can only change the fib on
an outgoing packet AFTER it has already done its routing decision.
setfib in ipfw is basically for packets that you are ROUTING,
(i.e. you are a gateway) and
is expected to be run in INCOMING packets before they make their
routing decision..
I was thinking of adding a 'reroute' ipfw keyword.. kind of like
'fwd {original dest} ip from any to any'
because 'fwd' does cause the routing decision to be redone.
The fib of the process that opens the socket controls where packets
from the local machine are sent.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
