From owner-freebsd-ipfw Tue May 14 11:42: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailgw3a.lmco.com (mailgw3a.lmco.com [192.35.35.7]) by hub.freebsd.org (Postfix) with ESMTP id 1352837B40C; Tue, 14 May 2002 11:41:53 -0700 (PDT) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw3a.lmco.com (8.11.6/8.11.6) with ESMTP id g4EIfaR20494; Tue, 14 May 2002 14:41:40 -0400 (EDT) Received: from CONVERSION-DAEMON by lmco.com (PMDF V5.2-33 #38886) id <0GW400O016LB3Q@lmco.com>; Tue, 14 May 2002 11:41:35 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V5.2-33 #38886) with ESMTP id <0GW40040B6L7AV@lmco.com>; Tue, 14 May 2002 11:41:31 -0700 (PDT) Date: Tue, 14 May 2002 11:38:20 -0700 From: rick norman Subject: Re: ipfw and aliases To: "Crist J. Clark" Cc: freebsd-ipfw@FreeBSD.ORG Message-id: <3CE1599C.42071126@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is true for the inbound path, however for the outbound path the info is available. It should be possible to have a qualifier that recognizes the alias's independantly from the interface. Rick "Crist J. Clark" wrote: > On Thu, May 09, 2002 at 07:14:06PM -0700, rick norman wrote: > > Is it possible to write a firewall rule for a router with one interface > > with multiple aliased ip > > addresses that will grab pkts based on the IP_alias they are routed in > > or out on, rather than the src or des address of the pkt. > > No, there is no way to do this. The information is simply not > available to the system. There is no way for it to know what IP > address a remote machine might have used to pick its link-layer > address for forwarding the packet. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 14 13:20:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id A0EBF37B405 for ; Tue, 14 May 2002 13:20:45 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020514201101.LHJS25294.rwcrmhc52.attbi.com@blossom.cjclark.org>; Tue, 14 May 2002 20:11:01 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g4EKB0957123; Tue, 14 May 2002 13:11:00 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 14 May 2002 13:11:00 -0700 From: "Crist J. Clark" To: rick norman Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and aliases Message-ID: <20020514131100.A57077@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3CE1599C.42071126@lmco.com>; from rick.norman@lmco.com on Tue, May 14, 2002 at 11:38:20AM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, May 14, 2002 at 11:38:20AM -0700, rick norman wrote: > This is true for the inbound path, however for the outbound path the > info is available. It should be possible to have a qualifier that recognizes > > the alias's independantly from the interface. I don't understand. The outbound path will be the next hop. The next hop is determined by the destination address of the packet and has nothing to do with local addresses on the machine. For packets from the local machine, you can use the source address. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 14 13:55:30 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailgw3a.lmco.com (mailgw3a.lmco.com [192.35.35.7]) by hub.freebsd.org (Postfix) with ESMTP id 00F6837B404 for ; Tue, 14 May 2002 13:55:25 -0700 (PDT) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw3a.lmco.com (8.11.6/8.11.6) with ESMTP id g4EKtMR11428; Tue, 14 May 2002 16:55:22 -0400 (EDT) Received: from CONVERSION-DAEMON by lmco.com (PMDF V5.2-33 #38886) id <0GW400H01BGQGA@lmco.com>; Tue, 14 May 2002 13:55:14 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V5.2-33 #38886) with ESMTP id <0GW40019WCGKPO@lmco.com>; Tue, 14 May 2002 13:48:20 -0700 (PDT) Date: Tue, 14 May 2002 13:45:10 -0700 From: rick norman Subject: Re: ipfw and aliases To: cjclark@alum.mit.edu Cc: freebsd-ipfw@FreeBSD.ORG Message-id: <3CE17755.12735706@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm probably giving too little detail. Basically I'm configuring bsd 4.5 as an intermediate node router in a fairly complex topology. The different aliases on an interface allow me to take different paths through this topology based on the subnets. What I want to do is apply different characteristics to multiple data streams based on the subnet they take leaving my router. The pkt only has src and des ip which says nothing about the path the routing protocols have picked. The rules that I see available in the ipfw would catch all the aliases leaving on an interface with no differentiation. It seems that another key word, similar to the 'via' qualifier would allow me to individually grab the outbound aliases. The needed info is available in the routing table in the form of the next hop router, I just don't see a way to grab a pkt based on the next hop address or the outbound subnet. Rick "Crist J. Clark" wrote: > On Tue, May 14, 2002 at 11:38:20AM -0700, rick norman wrote: > > This is true for the inbound path, however for the outbound path the > > info is available. It should be possible to have a qualifier that recognizes > > > > the alias's independantly from the interface. > > I don't understand. The outbound path will be the next hop. The next > hop is determined by the destination address of the packet and has > nothing to do with local addresses on the machine. > > For packets from the local machine, you can use the source address. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 14 22:47:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 440E437B404 for ; Tue, 14 May 2002 22:47:38 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020514222231.QOGO2901.rwcrmhc53.attbi.com@blossom.cjclark.org>; Tue, 14 May 2002 22:22:31 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g4EMMUm57429; Tue, 14 May 2002 15:22:30 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 14 May 2002 15:22:29 -0700 From: "Crist J. Clark" To: rick norman Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and aliases Message-ID: <20020514152229.B57077@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3CE17755.12735706@lmco.com>; from rick.norman@lmco.com on Tue, May 14, 2002 at 01:45:10PM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote: > I'm probably giving too little detail. Basically I'm configuring bsd 4.5 > as an intermediate node router in a fairly complex topology. The different > aliases on an interface allow me to take different paths through this topology > based on the subnets. What I want to do is apply different characteristics > to multiple data streams based on the subnet they take leaving my router. > The pkt only has src and des ip which says nothing about the path the routing > protocols have picked. What information are the routing protocols using besides the destination IP? > The rules that I see available in the ipfw would catch > all the aliases leaving on an interface with no differentiation. Because there is no difference. The only information available on a packet being forwarded are the interface it came in on, the interface it is going out of, the next hop, and of course the data in the packet itself (the source and destination IPs). I'm not sure what other information you are trying to tap into. > It seems that > another key word, similar to the 'via' qualifier would allow me to individually > grab the outbound aliases. The needed info is available in the routing table > in the form of the next hop router, I just don't see a way to grab a pkt based > on the next hop address or the outbound subnet. Examining the next hop address on outgoing packets is not a big deal. It would be straight forward to add it to ipfw(8). But I'm still not sure what it has to do with local alias addresses. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 15 9:44:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay1.jet.msk.su (relay1.jet.msk.su [194.87.88.34]) by hub.freebsd.org (Postfix) with ESMTP id BF3E137B403 for ; Wed, 15 May 2002 09:44:08 -0700 (PDT) Received: from tiger ([193.124.4.1] helo=tiger.jet.msk.su) by relay1.jet.msk.su with smtp (Exim 3.22 #1) id 1781si-000774-00 for ipfw@freebsd.org; Wed, 15 May 2002 20:44:04 +0400 Received: from eel.service.jet.msk.su [192.168.10.183] by tiger.jet.msk.su with esmtp (Exim 1.73 #2) id 1781se-0003vO-00; Wed, 15 May 2002 20:44:00 +0400 Message-ID: <3CE28FA9.9C7C0200@jet.msk.su> Date: Wed, 15 May 2002 20:41:13 +0400 From: "Andrew V. Jemerya" Organization: Jet Infosystems X-Mailer: Mozilla 4.78 [en] (X11; U; SunOS 5.8 i86pc) X-Accept-Language: ru, en MIME-Version: 1.0 To: ipfw@FreeBSD.org Subject: iplen and tos Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! Will the iplen and tos filtering options be commited in upcoming 4.6 RELEASE? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 16 11:13:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailgw3a.lmco.com (mailgw3a.lmco.com [192.35.35.7]) by hub.freebsd.org (Postfix) with ESMTP id 405A537B406 for ; Thu, 16 May 2002 11:13:17 -0700 (PDT) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw3a.lmco.com (8.11.6/8.11.6) with ESMTP id g4GIDDR03970; Thu, 16 May 2002 14:13:13 -0400 (EDT) Received: from CONVERSION-DAEMON by lmco.com (PMDF V5.2-33 #38886) id <0GW700B01UKESN@lmco.com>; Thu, 16 May 2002 11:13:11 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V5.2-33 #38886) with ESMTP id <0GW700GF2UJ88S@lmco.com>; Thu, 16 May 2002 11:11:33 -0700 (PDT) Date: Thu, 16 May 2002 11:08:40 -0700 From: rick norman Subject: Re: ipfw and aliases To: cjclark@alum.mit.edu Cc: freebsd-ipfw@FreeBSD.ORG Message-id: <3CE3F5A7.FE02E845@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: multipart/alternative; boundary="Boundary_(ID_9NyJBOx3ELrSQmKY8PK+BA)" X-Accept-Language: en References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Boundary_(ID_9NyJBOx3ELrSQmKY8PK+BA) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Here is an example (please view in fix point font) Src Hop1 Hop2 Dest -+- -+- -+- -+- | | | | +---------+----------+----------+ 10.0.0.1 10.0.0.2 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2 10.0.3.1 10.0.3.2 10.0.4.2 10.0.4.3 Notes: Subnet mask=255.255.255.0 for all there is only one NIC in each computer All the computers are connected to an ethernet switch. We are manually manipulating the routing table on hop2 and hop3 for the destination. The topology above allows us to get to destination address 10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2. We would like to be able to setup IPFW rules and Dummynet Pipes to vary the link quality between hop1 and hop2 depending on which of the three routes are taken to the destination. We need a firewall rule that reads like this 0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1 0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1 0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1 The problem is that currently the via 10.0.1.1 and 10.0.2.1 and 10.0.3.1 all resolve to the same interface and therefore onpy pipe 1 is used. That's why I would like subnets to be used instread of the interface to which they resolve. Actually, I think the via qualifier would make more sense if it was able differentiate subnets. If you have any way of making this work please let me know. Thanks, Rick Norman "Crist J. Clark" wrote: > On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote: > > I'm probably giving too little detail. Basically I'm configuring bsd 4.5 > > as an intermediate node router in a fairly complex topology. The different > > aliases on an interface allow me to take different paths through this topology > > based on the subnets. What I want to do is apply different characteristics > > to multiple data streams based on the subnet they take leaving my router. > > The pkt only has src and des ip which says nothing about the path the routing > > protocols have picked. > > What information are the routing protocols using besides the > destination IP? > > > The rules that I see available in the ipfw would catch > > all the aliases leaving on an interface with no differentiation. > > Because there is no difference. The only information available on a > packet being forwarded are the interface it came in on, the interface > it is going out of, the next hop, and of course the data in the packet > itself (the source and destination IPs). I'm not sure what other > information you are trying to tap into. > > > It seems that > > another key word, similar to the 'via' qualifier would allow me to individually > > grab the outbound aliases. The needed info is available in the routing table > > in the form of the next hop router, I just don't see a way to grab a pkt based > > on the next hop address or the outbound subnet. > > Examining the next hop address on outgoing packets is not a big deal. > It would be straight forward to add it to ipfw(8). But I'm still not > sure what it has to do with local alias addresses. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org --Boundary_(ID_9NyJBOx3ELrSQmKY8PK+BA) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT  

Here is an example (please view in fix point font)
 
Src       Hop1       Hop2       Dest
-+-       -+-        -+-        -+-
 |         |          |          |
 +---------+----------+----------+
10.0.0.1  10.0.0.2
          10.0.1.1  10.0.1.2
          10.0.2.1  10.0.2.2
          10.0.3.1  10.0.3.2
                    10.0.4.2    10.0.4.3
 
Notes:
Subnet mask=255.255.255.0 for all
there is only one NIC in each computer
All the computers are connected to an ethernet switch.
We are manually manipulating the routing table on hop2 and hop3 for the destination.
 
The topology above allows us to get to destination address
10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2.
 
We would like to be able to setup IPFW rules and Dummynet Pipes
to vary the link quality between hop1 and hop2
depending on which of the three routes are taken to the destination.
 
We need a firewall rule that reads like this
 
0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1
0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1
0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1
 
The problem is that currently the via 10.0.1.1 and 10.0.2.1 and 10.0.3.1 all resolve to the same
interface and therefore onpy pipe 1 is used.  That's why I would like  subnets to be used
instread of the interface to which they resolve.  Actually, I think the via qualifier would make
more sense if it was able differentiate subnets. If you have any way of making this work please
let me know.

Thanks,
Rick Norman
 

"Crist J. Clark" wrote:

On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote:
> I'm probably giving too little detail.  Basically I'm configuring bsd 4.5
> as an intermediate node router in a fairly complex topology.  The different
> aliases on an interface allow me to take different paths through this topology
> based on the subnets.  What I want to do is apply different characteristics
> to multiple data streams based on the subnet they take leaving my router.
> The pkt only has src and des ip which says nothing about the path the routing
> protocols have picked.

What information are the routing protocols using besides the
destination IP?

> The rules that I see available in the ipfw would catch
> all the aliases leaving on an interface with no differentiation.

Because there is no difference. The only information available on a
packet being forwarded are the interface it came in on, the interface
it is going out of, the next hop, and of course the data in the packet
itself (the source and destination IPs). I'm not sure what other
information you are trying to tap into.

> It seems that
> another key word, similar to the 'via' qualifier would allow me to individually
> grab the outbound aliases.  The needed info is available in the routing table
> in the form of the next hop router, I just don't see a way to grab a pkt based
> on the next hop address or the outbound subnet.

Examining the next hop address on outgoing packets is not a big deal.
It would be straight forward to add it to ipfw(8). But I'm still not
sure what it has to do with local alias addresses.
--
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

--Boundary_(ID_9NyJBOx3ELrSQmKY8PK+BA)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message