ipfw2 accepts rules like this: divert 10000 ip from any to any via fxp0 MAC 00:90:27:a7:5c:72 any But this rules will never match a packet. And ipfw(8) man page mentiones this nowhere. Yes, it says something: /* quote start */ Note that as packets flow through the stack, headers can be stripped or added to it, and so they may or may not be available for inspection. E.g., incoming packets will include the MAC header when ipfw is invoked from ether_demux(), but the same packets will have the MAC header stripped off when ipfw is invoked from ip_input(). Also note that each packet is always checked against the complete rule- set, irrespective of the place where the check occurs, or the source of the packet. If a rule contains some match patterns or actions which are not valid for the place of invocation (e.g. trying to match a MAC header within ip_input() ), the match pattern will not match, but a not operator in front of such patterns will cause the pattern to always match on those packets. /* quote stop */ However, man page does not say that divertion will occur when ipfw is invoked from ip_input(). Fix: Correct ipfw(8) man page. It should clearly state that divert can never be used with layer2 packets. Eugene Grosbein How-To-Repeat: See description. I needed to count and divert unicast-only packets to an application, tried to use mentioned rule and failed. I'm forced to rewrite it as a set of three rules (count, skip broadcast and divert) but it took some time to understand what's going wrong.
Hi! The problem is still here for 5.4-STABLE: http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/59835 Eugene Grosbein
This is still the problem for 6.0-RELEASE.
Hi! This is still the problem for 8.3-STABLE. Eugene Grosbein
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
My PR.
A commit references this bug: Author: eugen Date: Sun Nov 4 06:35:48 UTC 2018 New revision: 340110 URL: https://svnweb.freebsd.org/changeset/base/340110 Log: ipfw(8): clarify layer2 processing abilities Make it clear that ipfw action set for layer2 frames it a bit limited. PR: 59835 Reviewed by: yuripv MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D17719 Changes: head/sbin/ipfw/ipfw.8
A commit references this bug: Author: eugen Date: Tue Dec 4 00:41:12 UTC 2018 New revision: 341451 URL: https://svnweb.freebsd.org/changeset/base/341451 Log: MFC r340110: ipfw(8): clarify layer2 processing abilities Make it clear that ipfw action set for layer2 frames is a bit limited. PR: 59835 Reviewed by: yuripv Differential Revision: https://reviews.freebsd.org/D17719 Changes: _U stable/12/ stable/12/sbin/ipfw/ipfw.8
A commit references this bug: Author: eugen Date: Tue Dec 4 07:34:47 UTC 2018 New revision: 341458 URL: https://svnweb.freebsd.org/changeset/base/341458 Log: MFC r340110: ipfw(8): clarify layer2 processing abilities Make it clear that ipfw action set for layer2 frames is a bit limited. PR: 59835 Reviewed by: yuripv Differential Revision: https://reviews.freebsd.org/D17719 Changes: _U stable/11/ stable/11/sbin/ipfw/ipfw.8