Date: Wed, 4 Dec 2002 15:20:28 -0500 From: Don Bowman <don@sandvine.com> To: Don Bowman <don@sandvine.com>, "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Cc: "'freebsd-stable@freebsd.org'" <freebsd-stable@freebsd.org> Subject: RE: SO_DONTROUTE, arp's, ipfw fwd, etc Message-ID: <FE045D4D9F7AED4CBFF1B3B813C85337010230F7@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
> From: Don Bowman [mailto:don@sandvine.com]
> I have a setup where I have a transparent proxy using ipfw fwd (to
> localhost).
> Data is sent to this device using a MAC rewrite so that
> packets arrive with
> my MAC, but the original source and destination IP.
> When I receive the SYN, i accept the connection, which causes an ARP
> to be emitted for the source address, and then the SYN/ACK.
I didn't get much response from this, so I'm going to re-phrase.
Is there any reason that I shouldn't modify the TCP passive accept
so that it remembers both the MAC address of the sender, and the
interface the packet came in on? By doing so, I will avoid
having to issue an ARP for each incoming connection (which adds
latency, and more importantly for me, breaks the ability to use
ipfw 'fwd' rules the way I want). [This is with FreeBSD 4.7 if
it matters].
What's happening is I have >1 router feeding me sessions which
I'm transparently proxying (e.g. squid).
Obviously I can't have a default route back to each of them.
So I have something like:
[Router1]---\
\
[Router2]--------[BSD]
/
[Router3]---/
This is done with a layer-2 mac rewrite, ie the router takes the packet,
doesn't modify the IP header, but changes the destination MAC to
be that of the BSD machine.
So, e.g, a packet comes into router1 above (from somewhere on its
left hand side). It may have IPsrc=1.0.0.1, IPdst=2.0.0.1.
It then arrives @ the BSD machine, which will cheerfully say, yup,
I'm 2.0.0.1 (using the beauty of 'ipfw fwd localhost...').
Problem is, it then wants to send a SYN/ACK, there's no route,
so no where to go. I can't make the route be one of those routers,
and the routing tables are too complicated to install (since there
may be BGP on the left of them, etc, etc). Its important for
me the response packets go back through the same path (to avoid
reordering etc).
The next step for me is to use a separate VLAN from each of those
routers to the BSD box (so that the packets appear to come from different
interfaces). I'd like to memorize the interface the packet came in,
and the mac header to use, and just use that without making an enormous
arp table, and going back to the place the SYN came from.
Is there a reason it doesn't work this way currently (before I dive
in and make changes).
If I were to change it to work the way I want, would other people
be interested?
Would this be interesting as a whole-sale change in behaviour, or as
a sysctl-changeable or #ifdef settable?
Comments greatly appreciated.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C85337010230F7>