From owner-freebsd-net  Wed Nov 14 16: 4:49 2001
Delivered-To: freebsd-net@freebsd.org
Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2])
	by hub.freebsd.org (Postfix) with ESMTP id 77FA037B41A
	for <net@freebsd.org>; Wed, 14 Nov 2001 16:04:41 -0800 (PST)
Received: from vicor-nb.com (julian.vicor-nb.com [208.206.78.97])
	by mail.vicor-nb.com (Postfix) with ESMTP id 2C5CF1B219
	for <net@freebsd.org>; Wed, 14 Nov 2001 16:04:41 -0800 (PST)
Message-ID: <3BF30699.E8CC9857@vicor-nb.com>
Date: Wed, 14 Nov 2001 16:04:41 -0800
From: Julian Elischer <julian@vicor-nb.com>
Organization: VICOR
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386)
X-Accept-Language: en, hu
MIME-Version: 1.0
To: net@freebsd.org
Subject: RFC: ipfirewall_forward patch
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

 The following patch is expected to 
allow the forwarding of INCOMING packets to an arbitrary next hop
controlled by the ipfw fwd command..

Ipfw 'fwd' at present has teh following restriction:

only packets already leaving the system can be hijacked and forwarded
to a 2nd machine. Incoming packets can only be forwarded to local
addresses/port combinations.

This patch would allow a sequence of mchines to hijack
a particular conforming packet and pass it allong a chain of
these machine sot make it fall out somewhere else..

the particular example I have in mind:





[internet]---[A.b.c.d]-------[10.2.3.4]
                   \---------[10.2.3.5]
                   \---------[10.2.3.6]
                   \---------[10.2.3.7]



on A.b.c.d:
ipfw add 1000 fwd 10.2.3.4 tcp from 0.0.0.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.5 tcp from 0.0.1.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.6 tcp from 0.0.2.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.7 tcp from 0.0.3.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0

and on each of the four machines:
ipfw add 1000 fwd localhost tcp from any to A.b.c.d 80 in recv fxp0

this is a 4 -way load sharing setup sharing 
http load across 4 machines (in our case proxies)

implemented in 5 lines of ipfw.

To the external world it would look as if all requests are being
satisfied 
by A.b.c.d:80.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message