diff options
| author | julian <julian@FreeBSD.org> | 2006-08-17 22:49:50 +0000 |
|---|---|---|
| committer | julian <julian@FreeBSD.org> | 2006-08-17 22:49:50 +0000 |
| commit | ff9e3178175b11cd7809c6ada10182a3554f2397 (patch) | |
| tree | 13d3659c8c675327f2a39e3b2a6d78953ca0abc2 /sbin/ipfw/ipfw.8 | |
| parent | 59cd950be143bf9ff3f67c3a051757216f0b9933 (diff) | |
| download | FreeBSD-src-ff9e3178175b11cd7809c6ada10182a3554f2397.zip FreeBSD-src-ff9e3178175b11cd7809c6ada10182a3554f2397.tar.gz | |
Allow ipfw to forward to a destination that is specified by a table.
for example:
fwd tablearg ip from any to table(1)
where table 1 has entries of the form:
1.1.1.0/24 10.2.3.4
208.23.2.0/24 router2
This allows trivial implementation of a secondary routing table implemented
in the firewall layer.
I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.
Reviewed by: Glebius
MFC after: 1 month
Diffstat (limited to 'sbin/ipfw/ipfw.8')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 3c7aac4..6321589 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -684,10 +684,14 @@ Divert packets that match this rule to the socket bound to port .Ar port . The search terminates. -.It Cm fwd | forward Ar ipaddr Ns Op , Ns Ar port +.It Cm fwd | forward Ar ipaddr | tablearg Ns Op , Ns Ar port Change the next-hop on matching packets to .Ar ipaddr , which can be an IP address or a host name. +The next hop can also be supplied by the last table +looked up for the packet by using the +.Em tablearg +keyword instead of an explicit address. The search terminates if this rule matches. .Pp If @@ -1584,11 +1588,14 @@ This can significantly reduce number of rules in some configurations. The .Cm tablearg argument can be used with the following actions: -.Cm pipe , queue, divert, tee, netgraph, ngtee, +.Cm pipe , queue, divert, tee, netgraph, ngtee, fwd action parameters: .Cm tag, untag, rule options: .Cm limit, tagged. +.Pp +When used with 'fwd' it is possible to supply table entries with values +that are in the form of IP addresses or hostnames. See the .Sx EXAMPLES Section for example usage of tables and the tablearg keyword. @@ -2380,6 +2387,13 @@ Then we classify traffic using a single rule: .Dl "ipfw table 1 add 192.168.0.2 1" .Dl "..." .Dl "ipfw pipe tablearg ip from table(1) to any" +.Pp +Using the fwd action, the table entries may include hostnames and IP addresses. +.Pp +.Dl "ipfw table 1 add 192.168.2.0/24 10.23.2.1" +.Dl "ipfw table 1 add 192.168.0.0/27 router1.dmz" +.Dl "..." +.Dl "ipfw add 100 fwd tablearg ip from any to table(1)" .Ss SETS OF RULES To add a set of rules atomically, e.g.\& set 18: .Pp |
