Date: Wed, 21 Jan 2009 15:34:03 -0200 From: "Luiz Otavio O Souza" <lists.br@gmail.com> To: "Eduardo Meyer" <dudu.meyer@gmail.com> Cc: freebsd-net@freebsd.org, Julian Elischer <julian@elischer.org> Subject: Re: Multiple Routing Tables (FIB) + IPFW problem as (I?) expected Message-ID: <DBDE96CC23B142FDAE3AEA0B7BC7278B@adnote989> References: <d3ea75b30901160414x353c9fb2ke1f31489bb8d5107@mail.gmail.com> <4970DB6C.4030200@elischer.org> <d3ea75b30901190740i35873cc6u3061193ea4eba4e3@mail.gmail.com> <8461C1DA26D349A7B4AA821D8461A923@adnote989> <d3ea75b30901200721g231e99f1uaefcc8960888bf9c@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
>>>> obviously you did some other commands here..
>>>> something generated 2 million packets..
>>>
>>> Julian, its a production enviroment, firewall was up for a few
>>> minutes. Thats the reason.
>>>
>>>> I was thinking of adding a 'reroute' ipfw keyword.. kind of like
>>>> 'fwd {original dest} ip from any to any'
>>>> because 'fwd' does cause the routing decision to be redone.
>>>>
>>>> The fib of the process that opens the socket controls where packets
>>>> from
>>>> the
>>>> local machine are sent.
>>>
>>> divert does cause this too, not "not fib X" seems to work fine...
>>>
>>> I wish you could make the "setfib" action be kept in state with
>>> keep-state only for the static rules, but I guess it will be done for
>>> all dynamic rules too, since keep-state makes dynamic rules repeat the
>>> static one, right?
>>>
>>> would something like
>>>
>>> ipfw add prob 0.5 setfib 1 all from X to any out keep-state
>>>
>>> be used to balance (per session) between FIB tables?
>>
>> divert ? i think you want to say natd...
>>
>> Again... you are using setfib after the route table decisions...
>>
>> To use natd with setfib you need to setup two instances of natd, one for
>> each uplink interface:
>>
>> ipfw add divert 8668 all from any to any via ${outnic1}
>> ipfw add divert 8669 all from any to any via ${outnic2}
>>
>> And on internal nic:
>>
>> ipfw add setfib 1 tcp from ${inet} to any 80 IN VIA ${iif}
>>
>> So the http traffic will be routed thru fib 1 and should appear on
>> correct
>> uplink interface, and natd can do his the dirty work.
>>
>> I don't known about prob... you will need to send the connection setup
>> packets (for tcp) and subsequent packets through the same link. i don't
>> know
>> if you can achive this with prob + keep-state.
>>
>> Luiz
>>
>
> Yes, you are right. Now its way easier to do policy routing and
> advanced PBR. However Im still trying to balance outgoing traffic
> throught multiple FIBs, per session. But
>
> add prob 0.5 setfib 1 tcp from ${inet} to any 80 in via ${iif} setup
> keep-state
>
> is not working as I expected...
>
> Some sessions just fail. I guess I need some special behavior on the
> "keep-state" action.
>
Have you tried the check-state rule ? just an educated guess... no real clue
about that... sorry.
You will need to dig by yourself on this... take a closer look at dynamics
rules created by your rule and try to determine the better way to achive
what you want.
Luiz
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBDE96CC23B142FDAE3AEA0B7BC7278B>