Date: Wed, 14 Nov 2001 16:04:41 -0800 From: Julian Elischer <julian@vicor-nb.com> To: net@freebsd.org Subject: RFC: ipfirewall_forward patch Message-ID: <3BF30699.E8CC9857@vicor-nb.com>
next in thread | raw e-mail | index | archive | help
The following patch is expected to allow the forwarding of INCOMING packets to an arbitrary next hop controlled by the ipfw fwd command.. Ipfw 'fwd' at present has teh following restriction: only packets already leaving the system can be hijacked and forwarded to a 2nd machine. Incoming packets can only be forwarded to local addresses/port combinations. This patch would allow a sequence of mchines to hijack a particular conforming packet and pass it allong a chain of these machine sot make it fall out somewhere else.. the particular example I have in mind: [internet]---[A.b.c.d]-------[10.2.3.4] \---------[10.2.3.5] \---------[10.2.3.6] \---------[10.2.3.7] on A.b.c.d: ipfw add 1000 fwd 10.2.3.4 tcp from 0.0.0.0:0.0.3.0 to A.b.c.d 80 in recv fxp0 ipfw add 1000 fwd 10.2.3.5 tcp from 0.0.1.0:0.0.3.0 to A.b.c.d 80 in recv fxp0 ipfw add 1000 fwd 10.2.3.6 tcp from 0.0.2.0:0.0.3.0 to A.b.c.d 80 in recv fxp0 ipfw add 1000 fwd 10.2.3.7 tcp from 0.0.3.0:0.0.3.0 to A.b.c.d 80 in recv fxp0 and on each of the four machines: ipfw add 1000 fwd localhost tcp from any to A.b.c.d 80 in recv fxp0 this is a 4 -way load sharing setup sharing http load across 4 machines (in our case proxies) implemented in 5 lines of ipfw. To the external world it would look as if all requests are being satisfied by A.b.c.d:80. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BF30699.E8CC9857>