Date: Thu, 23 May 2002 00:18:44 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: rick norman <rick.norman@lmco.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and aliases Message-ID: <20020523001844.B9562@blossom.cjclark.org> In-Reply-To: <3CE3F5A7.FE02E845@lmco.com>; from rick.norman@lmco.com on Thu, May 16, 2002 at 11:08:40AM -0700 References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org> <3CE3F5A7.FE02E845@lmco.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 16, 2002 at 11:08:40AM -0700, rick norman wrote: I've been meaning to dig into this a bit more, but haven't had the time yet. However, I wanted to make some remarks before the holiday weekend. > Here is an example (please view in fix point font) > > Src Hop1 Hop2 Dest > -+- -+- -+- -+- > | | | | > +---------+----------+----------+ > 10.0.0.1 10.0.0.2 > 10.0.1.1 10.0.1.2 > 10.0.2.1 10.0.2.2 > 10.0.3.1 10.0.3.2 > 10.0.4.2 10.0.4.3 > > Notes: > Subnet mask=255.255.255.0 for all > there is only one NIC in each computer > All the computers are connected to an ethernet switch. > We are manually manipulating the routing table on hop2 and hop3 for the destination. > > The topology above allows us to get to destination address > 10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2. > > We would like to be able to setup IPFW rules and Dummynet Pipes > to vary the link quality between hop1 and hop2 > depending on which of the three routes are taken to the destination. > > We need a firewall rule that reads like this > > 0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1 > 0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1 > 0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1 There are some problems with this format. As we agreed on earlier in the thread, you cannot know what alias received a packet. The interfaces gets a packet by its link-layer address, and the alias IP is no where to be found in the IP datagram. So the rules cannot work the way you want on incoming packets. It's only worthwhile to discuss outgoing packets. The next-hop IP address is _definately_ available to the firewall code. As for the "source alias" address, it _may_ be available. I've been meaning to have a closer look at he code, but it has been what has been holding up my reply. I want to see what address ends up in the ifaddr structure pointed to in the rtentry; if it's the alias address. If it is, you could filter outgoing packets in the manner you desire. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020523001844.B9562>