Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Nov 2001 16:04:41 -0800
From:      Julian Elischer <julian@vicor-nb.com>
To:        net@freebsd.org
Subject:   RFC: ipfirewall_forward patch
Message-ID:  <3BF30699.E8CC9857@vicor-nb.com>

next in thread | raw e-mail | index | archive | help
 The following patch is expected to 
allow the forwarding of INCOMING packets to an arbitrary next hop
controlled by the ipfw fwd command..

Ipfw 'fwd' at present has teh following restriction:

only packets already leaving the system can be hijacked and forwarded
to a 2nd machine. Incoming packets can only be forwarded to local
addresses/port combinations.

This patch would allow a sequence of mchines to hijack
a particular conforming packet and pass it allong a chain of
these machine sot make it fall out somewhere else..

the particular example I have in mind:





[internet]---[A.b.c.d]-------[10.2.3.4]
                   \---------[10.2.3.5]
                   \---------[10.2.3.6]
                   \---------[10.2.3.7]



on A.b.c.d:
ipfw add 1000 fwd 10.2.3.4 tcp from 0.0.0.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.5 tcp from 0.0.1.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.6 tcp from 0.0.2.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.7 tcp from 0.0.3.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0

and on each of the four machines:
ipfw add 1000 fwd localhost tcp from any to A.b.c.d 80 in recv fxp0

this is a 4 -way load sharing setup sharing 
http load across 4 machines (in our case proxies)

implemented in 5 lines of ipfw.

To the external world it would look as if all requests are being
satisfied 
by A.b.c.d:80.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BF30699.E8CC9857>