Re: Ipfw fwd with route(8) RTF_BLACKHOLE and fast forwarding on FreeBSD 11

Tue, 04 Sep 2018 01:01:28 -0700 

Thank you Еugen for your reply.
You have very clearly explained how to disable fast forwarding via kernel ipsec. 


From myself I will add. On this object (Server), the priority is in 
favor of fast forwarding. Filtering ICMP packets I will make ipfw 
rules.I think that even with the use of ipfw filter rules ICMP type, the 
speed of forwarding packets will not be lower than using "old forwarding".



But still!Always want to use the most "ideal )" scheme for solving a 
specific problem. And in My specific case ipfw fwd + RTF_BLACKHOLE + 
fast forwarding would be very useful. I hope you Eugen understood what I 
mean! Once again many thanks for your time and help.




03.09.2018 13:12, Eugene Grosbein пишет:

03.09.2018 14:02, Runer wrote:

*Hello Community!

A situation has arisen in which ipfw fwd stops working when
RTF_BLACKHOLE or RTF_REJECT, ROUTE (8), is enabled on Freebsd 11 release.
**

FreeBSD 11.2-RELEASE-p1 route add default 127.0.0.1 -blackhole –iface ipfw 
show00100 30 4056 fwd 10.0.0.5 ip from table(1) to not 10.0.0.0/8 in via em0 The 
packet counter changes, but forwarding does not work.On FreeBSD 10 everything 
works fine. I suppose this is due to changes to forwarding -> fast forwarding 
by default in FreeBSD 11 and man ROUTE (8), “BUGS - unless IP fast forwarding is 
enabled, in which case the meaning of the flag will always be honored.”
I want to know if it's possible to implement the work ipfw fwd together with 
RTF_BLACKHOLE on FreeBSD 11 as before in FreeBSD 10? Thank you in advance!

***

As temporary workaround, you still can disable fast forwarding path:

- make sure you use GENERIC kernel or your custom kernel has "options 
IPSEC_SUPPORT" like GENERIC has;
- load ipsec kernel module by means of /boot/loader.conf or /etc/rc.conf;
- add dummy security policy:

printf "flush;\nspdflush;\n\nspdadd 100.64.0.1/32 100.64.0.2/32 esp -P out 
none;\n" > /etc/ipsec.conf

It does nothing but prevents a kernel from using fast forwarding path for 11.2




_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"






















					Reply via email to