ipfw: manpage: semantics of "receive" and "xmit" interfaces

Discussion:

(too old to reply)

O. Hartmann

2018-01-09 09:28:13 UTC

I feel confused by the ipfw manpage, while trying to setup a set of filtering
rules on a small router project with in-kernel NAT.

It is a kind of hard based on the ipfw man page to figure out, what the meaning
is of the receive and xmit interface. Maybe it is only me that has problems,
but I doubt it, since I tried to ask around my department and it broke loose a
discussion - based upon what one can read in the manpage - not reading source
codes.

In section RULE OPTIONS, there is recv|xmit|via explained (a bit). There is
also an example:

ipfw add deny ip from any to any out recv ed0 xmit ed1

Can someone explain a bit more what the semantics of these is? I get especially
confused by the subsequent blocks of text following the line I mentioned above.
Since not everybody using FreeBSD is capable of studying the kernel sources, I
have difficulties to put those statements in line with a visualization of the
packet flow. A local host receiving a packets destined for the local host can
not have xmit interface? If I imagine, that the recv interface might be the
interface adjacent directly to the in/out port depicted in section PACKET FLOW
it doesn't give me any idea why there is no xmit interface.

If it's my dumb brain missing things, I'm sorry. Otherwise I'd be glad to have
some more informations and maybe the manpage could be enriched with some notes
helping other poor people like me.

Thanks in advance,
Oliver

Andrey V. Elsukov

2018-01-09 18:23:54 UTC

Permalink

Post by O. Hartmann
In section RULE OPTIONS, there is recv|xmit|via explained (a bit). There is
ipfw add deny ip from any to any out recv ed0 xmit ed1
Can someone explain a bit more what the semantics of these is? I get especially
confused by the subsequent blocks of text following the line I mentioned above.
Since not everybody using FreeBSD is capable of studying the kernel sources, I
have difficulties to put those statements in line with a visualization of the
packet flow. A local host receiving a packets destined for the local host can
not have xmit interface? If I imagine, that the recv interface might be the
interface adjacent directly to the in/out port depicted in section PACKET FLOW
it doesn't give me any idea why there is no xmit interface.

When your system has two interfaces ed0 and ed1, and it acts as router,
a forwarded packet can be checked by firewall two times:

1. When a packet is received on ed0 interface, mbuf associated with this
packet gets a property "receiving interface". This packet is checked for
inbound direction and can be matched by "in" and "recv ed0" opcodes.
If it was not dropped by rules, it will go through IP stack and can be
forwarded according to routing table via interface ed1.

2. When the routing decision was made (i.e. outbound interface is
determined) a packet checked by firewall again, now for outbound
direction. And it can be matched by "out" and "xmit ed1" opcodes. The
opcode "recv ed0" still can be matched too, but "in" opcode will not
matched.

A packet destined for local host is consumed by local IP stack and will
not forwarded. It is checked by firewall only one time (usually). Thus
it can not have xmit interface.

--
WBR, Andrey V. Elsukov

O. Hartmann

2018-01-12 10:56:47 UTC

Permalink

On Tue, 9 Jan 2018 21:23:54 +0300

Post by Andrey V. Elsukov

Post by O. Hartmann
In section RULE OPTIONS, there is recv|xmit|via explained (a bit). There is
ipfw add deny ip from any to any out recv ed0 xmit ed1
Can someone explain a bit more what the semantics of these is? I get
especially confused by the subsequent blocks of text following the line I
mentioned above. Since not everybody using FreeBSD is capable of studying
the kernel sources, I have difficulties to put those statements in line
with a visualization of the packet flow. A local host receiving a packets
destined for the local host can not have xmit interface? If I imagine, that
the recv interface might be the interface adjacent directly to the in/out
port depicted in section PACKET FLOW it doesn't give me any idea why there
is no xmit interface.

When your system has two interfaces ed0 and ed1, and it acts as router,
1. When a packet is received on ed0 interface, mbuf associated with this
packet gets a property "receiving interface". This packet is checked for
inbound direction and can be matched by "in" and "recv ed0" opcodes.
If it was not dropped by rules, it will go through IP stack and can be
forwarded according to routing table via interface ed1.
2. When the routing decision was made (i.e. outbound interface is
determined) a packet checked by firewall again, now for outbound
direction. And it can be matched by "out" and "xmit ed1" opcodes. The
opcode "recv ed0" still can be matched too, but "in" opcode will not
matched.
A packet destined for local host is consumed by local IP stack and will
not forwarded. It is checked by firewall only one time (usually). Thus
it can not have xmit interface.

Thanks very much for the explanation.

Rodney W. Grimes

2018-01-09 23:00:10 UTC

Permalink

Post by Andrey V. Elsukov

in, recv and via options

Post by Andrey V. Elsukov
If it was not dropped by rules, it will go through IP stack and can be
forwarded according to routing table via interface ed1.
2. When the routing decision was made (i.e. outbound interface is
determined) a packet checked by firewall again, now for outbound
direction. And it can be matched by "out" and "xmit ed1" opcodes. The

in, recv and via options

Post by Andrey V. Elsukov
opcode "recv ed0" still can be matched too, but "in" opcode will not
matched.
A packet destined for local host is consumed by local IP stack and will
not forwarded. It is checked by firewall only one time (usually). Thus
it can not have xmit interface.

And a packet generated localy would not have a recv interface.

Post by Andrey V. Elsukov
--
WBR, Andrey V. Elsukov

--
Rod Grimes ***@freebsd.org