From owner-freebsd-net  Wed Nov 14 16:16:17 2001
Delivered-To: freebsd-net@freebsd.org
Received: from vorbis.noc.easynet.net (vorbis.noc.easynet.net [195.40.1.254])
	by hub.freebsd.org (Postfix) with SMTP id 6A2E637B416
	for <net@freebsd.org>; Wed, 14 Nov 2001 16:16:11 -0800 (PST)
Received: (qmail 6310 invoked by uid 1943); 15 Nov 2001 00:16:10 -0000
Date: Thu, 15 Nov 2001 00:16:10 +0000
From: Chrisy Luke <chrisy@flix.net>
To: Julian Elischer <julian@vicor-nb.com>
Cc: net@freebsd.org
Subject: Re: RFC: ipfirewall_forward patch
Message-ID: <20011115001610.A6212@flix.net>
References: <3BF30699.E8CC9857@vicor-nb.com> <3BF306D2.3A50C4AF@vicor-nb.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3BF306D2.3A50C4AF@vicor-nb.com>; from julian@vicor-nb.com on Wed, Nov 14, 2001 at 04:05:38PM -0800
Organization: The Flirble Internet Exchange
X-URL: http://www.flix.net/
X-FTP: ftp://ftp.flirble.org/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Julian Elischer wrote (on Nov 15):
> Oops   forgot the patch.. here it is...

I almost replied to the first - too quick off the mark!

> Julian Elischer wrote:
> > Ipfw 'fwd' at present has teh following restriction:
> > 
> > only packets already leaving the system can be hijacked and forwarded
> > to a 2nd machine. Incoming packets can only be forwarded to local
> > addresses/port combinations.

My fault. I was being lazy when I wrote it. :)

> > This patch would allow a sequence of mchines to hijack
> > a particular conforming packet and pass it allong a chain of
> > these machine sot make it fall out somewhere else..

It looks good. The ipfw syntax doesn't quite make sense to me.
Also, are you requiring that they all be on the same ipfw rule number?

Writing a script to probe a serving host and alter ipfw rules could be
done seamlessly if they were on seperate ipfw rules.

With a similar trick to move aliases around on a primary ether port,
it's going to be a doddle to setup a clustered-transparent loadbalancer
in FreeBSD now. Neat. :)

Cheers,
Chris.
-- 
== chris@easynet.net                                    T: +44 845 333 0122
== Global IP Network Engineering, Easynet Group PLC     F: +44 845 333 0122

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message