From owner-freebsd-ipfw Wed Jun 26 13:17:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by hub.freebsd.org (Postfix) with ESMTP id 3081137C641 for ; Wed, 26 Jun 2002 13:03:45 -0700 (PDT) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6/8.11.6) with ESMTP id g5QJXDg00697 for ; Wed, 26 Jun 2002 15:33:14 -0400 (EDT) Received: from CONVERSION-DAEMON by lmco.com (PMDF V5.2-33 #38886) id <0GYB00C01VNDQ0@lmco.com> for freebsd-ipfw@freebsd.org; Wed, 26 Jun 2002 12:33:13 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V5.2-33 #38886) with ESMTP id <0GYB00OM7VN8WH@lmco.com> for freebsd-ipfw@freebsd.org; Wed, 26 Jun 2002 12:33:08 -0700 (PDT) Date: Wed, 26 Jun 2002 12:28:58 -0700 From: rick norman Subject: Re: ipfw and aliases To: freebsd-ipfw@freebsd.org Message-id: <3D1A15F9.7589DCE7@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: multipart/alternative; boundary="Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ)" X-Accept-Language: en References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org> <3CE3F5A7.FE02E845@lmco.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Did this issue ever get resolved or is there some hope it can be incorporated ? rick norman wrote: > > > Here is an example (please view in fix point font) > > Src Hop1 Hop2 Dest > -+- -+- -+- -+- > | | | | > +---------+----------+----------+ > 10.0.0.1 10.0.0.2 > 10.0.1.1 10.0.1.2 > 10.0.2.1 10.0.2.2 > 10.0.3.1 10.0.3.2 > 10.0.4.2 10.0.4.3 > > Notes: > Subnet mask=255.255.255.0 for all > there is only one NIC in each computer > All the computers are connected to an ethernet switch. > We are manually manipulating the routing table on hop2 and hop3 for > the destination. > > The topology above allows us to get to destination address > 10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2. > > We would like to be able to setup IPFW rules and Dummynet Pipes > to vary the link quality between hop1 and hop2 > depending on which of the three routes are taken to the destination. > > We need a firewall rule that reads like this > > 0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1 > 0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1 > 0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1 > > The problem is that currently the via 10.0.1.1 and 10.0.2.1 and > 10.0.3.1 all resolve to the same > interface and therefore onpy pipe 1 is used. That's why I would like > subnets to be used > instread of the interface to which they resolve. Actually, I think > the via qualifier would make > more sense if it was able differentiate subnets. If you have any way > of making this work please > let me know. > > Thanks, > Rick Norman > > > "Crist J. Clark" wrote: > >> On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote: >> > I'm probably giving too little detail. Basically I'm configuring >> bsd 4.5 >> > as an intermediate node router in a fairly complex topology. The >> different >> > aliases on an interface allow me to take different paths through >> this topology >> > based on the subnets. What I want to do is apply different >> characteristics >> > to multiple data streams based on the subnet they take leaving my >> router. >> > The pkt only has src and des ip which says nothing about the path >> the routing >> > protocols have picked. >> >> What information are the routing protocols using besides the >> destination IP? >> >> > The rules that I see available in the ipfw would catch >> > all the aliases leaving on an interface with no differentiation. >> >> Because there is no difference. The only information available on a >> packet being forwarded are the interface it came in on, the >> interface >> it is going out of, the next hop, and of course the data in the >> packet >> itself (the source and destination IPs). I'm not sure what other >> information you are trying to tap into. >> >> > It seems that >> > another key word, similar to the 'via' qualifier would allow me to >> individually >> > grab the outbound aliases. The needed info is available in the >> routing table >> > in the form of the next hop router, I just don't see a way to grab >> a pkt based >> > on the next hop address or the outbound subnet. >> >> Examining the next hop address on outgoing packets is not a big >> deal. >> It would be straight forward to add it to ipfw(8). But I'm still not >> >> sure what it has to do with local alias addresses. >> -- >> Crist J. Clark | cjclark@alum.mit.edu >> | cjclark@jhu.edu >> http://people.freebsd.org/~cjc/ | cjc@freebsd.org > -- One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. wk: 408 742 1619 rick.norman@lmco.com hm: 650 726 0677 rnorman@ikaika.com cell: 650 303 3877 --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT Did this issue ever get resolved or is there some hope it can be incorporated ?
 

rick norman wrote:

 

Here is an example (please view in fix point font)

Src       Hop1       Hop2       Dest
-+-       -+-        -+-        -+-
 |         |          |          |
 +---------+----------+----------+
10.0.0.1  10.0.0.2
          10.0.1.1  10.0.1.2
          10.0.2.1  10.0.2.2
          10.0.3.1  10.0.3.2
                    10.0.4.2    10.0.4.3

Notes:
Subnet mask=255.255.255.0 for all
there is only one NIC in each computer
All the computers are connected to an ethernet switch.
We are manually manipulating the routing table on hop2 and hop3 for the destination.

The topology above allows us to get to destination address
10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2.

We would like to be able to setup IPFW rules and Dummynet Pipes
to vary the link quality between hop1 and hop2
depending on which of the three routes are taken to the destination.

We need a firewall rule that reads like this

0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1
0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1
0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1

The problem is that currently the via 10.0.1.1 and 10.0.2.1 and 10.0.3.1 all resolve to the same
interface and therefore onpy pipe 1 is used.  That's why I would like  subnets to be used
instread of the interface to which they resolve.  Actually, I think the via qualifier would make
more sense if it was able differentiate subnets. If you have any way of making this work please
let me know.

Thanks,
Rick Norman
 

"Crist J. Clark" wrote:

On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote:
> I'm probably giving too little detail.  Basically I'm configuring bsd 4.5
> as an intermediate node router in a fairly complex topology.  The different
> aliases on an interface allow me to take different paths through this topology
> based on the subnets.  What I want to do is apply different characteristics
> to multiple data streams based on the subnet they take leaving my router.
> The pkt only has src and des ip which says nothing about the path the routing
> protocols have picked.

What information are the routing protocols using besides the
destination IP?

> The rules that I see available in the ipfw would catch
> all the aliases leaving on an interface with no differentiation.

Because there is no difference. The only information available on a
packet being forwarded are the interface it came in on, the interface
it is going out of, the next hop, and of course the data in the packet
itself (the source and destination IPs). I'm not sure what other
information you are trying to tap into.

> It seems that
> another key word, similar to the 'via' qualifier would allow me to individually
> grab the outbound aliases.  The needed info is available in the routing table
> in the form of the next hop router, I just don't see a way to grab a pkt based
> on the next hop address or the outbound subnet.

Examining the next hop address on outgoing packets is not a big deal.
It would be straight forward to add it to ipfw(8). But I'm still not
sure what it has to do with local alias addresses.
--
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

--
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.

wk: 408 742 1619
rick.norman@lmco.com
hm: 650 726 0677
rnorman@ikaika.com
cell: 650 303 3877
  --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message