From owner-freebsd-net@FreeBSD.ORG Fri Dec 9 05:48:04 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81A4B16A41F for ; Fri, 9 Dec 2005 05:48:04 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFBD143D45 for ; Fri, 9 Dec 2005 05:47:59 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id A0ACF7480; Fri, 9 Dec 2005 06:31:45 +0100 (CET) Received: from (165.146.252.33 [165.146.252.33]) by MailEnable Inbound Mail Agent with ESMTP; Fri, 09 Dec 2005 06:55:39 +0100 Message-ID: <43991AF9.1070804@roamingsolutions.net> Date: Fri, 09 Dec 2005 07:49:45 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en To: Claudio Jeker References: <4397A2D1.452F290A@freebsd.org> <20051208161245.GB19179@diehard.n-r-g.com> In-Reply-To: Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0549-3, 2005/12/07), Outbound message X-Antivirus-Status: Clean MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: Programming Question: Policy Based Routing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2005 05:48:04 -0000 Ivo Vachkov wrote: 2005/12/8, Claudio Jeker [1]: On Thu, Dec 08, 2005 at 01:15:04PM +0200, Ivo Vachkov wrote: Normally it's the other way around. So be it :) My definition of Policy-Based Routing (PBR): ability make routing decision based on information other than destination IP address in the packet. In my project this "other" information includes source ip address, L4 protocol, tos, packet length. Implementation: Plan 1) This is complex standalone solution implemented entirely in the kernel, plus userland utilities (like the route command). Whole current routing engine will be changed. Instead of Patricia tree I implement a list of data structures, each one including special mask which identifies what field of the IP header are used to match the packet and an AVL tree to store routing information in it. Algorithm is simple: An AVL tree is far from optimal for route lookups -- think about longest prefix matches. It is even worse than a Patricia tree. Also doing the packet classification as part of the route lookup is IMO a bad idea. Also the linear list that needs to be traversed for every packet is very expensive because you can only do one comparison at a time. I am aware that this part sux :) That's why I'm asking for other people's opinions. Plan B) *Somehow very Linuxish* Using some sort of packet classifier (for example packet filter matching code) it marks the packet with a some user defined value. Example: ipfw add mark 10 ip from 192.168.0.0/24 to 192.168.10.0/24 and: pbr_route add -mark 10 $gateway The kernel implementation should check for such marks on every packet and search them in a binary search tree (AVL probably). That's it. Please, excuse my bad english and poor explanations. If you have any questions I'll try to explain better, probably using more examples. This is a better approach and much simpler. Pf and IPFW have a powerful classifier and with tables, states, ... it is possible to reduce the classification time significantly. I am currently using a solution with 5.4 where different packets get routed out different routes. I'm using IPFW and according to protocol or source IP (but IPWF can recognise any IP header criteria you like), I then FWD the packets to the specific gateway required. For this solution to work, you need to make all the gateways available from a single external NIC (or multiple NIC's that have been ng_hook'd). Let me know if you would like an example ipfw script. However this binds the code with some external software. Further more, what should i use to "mark" packets originating from the host ... at some point it get too complex to configure, many rules should be to written just to get it working ... -- :wq Claudio _______________________________________________ [2]freebsd-net@freebsd.org mailing list [3]http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [4]"freebsd-net-unsubscribe@freebsd.org" _______________________________________________ [5]freebsd-net@freebsd.org mailing list [6]http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [7]"freebsd-net-unsubscribe@freebsd.org" References 1. mailto:cjeker@diehard.n-r-g.com 2. mailto:freebsd-net@freebsd.org 3. http://lists.freebsd.org/mailman/listinfo/freebsd-net 4. mailto:freebsd-net-unsubscribe@freebsd.org 5. mailto:freebsd-net@freebsd.org 6. http://lists.freebsd.org/mailman/listinfo/freebsd-net 7. mailto:freebsd-net-unsubscribe@freebsd.org