From owner-freebsd-net  Wed Nov 14 17:20:38 2001
Delivered-To: freebsd-net@freebsd.org
Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9])
	by hub.freebsd.org (Postfix) with ESMTP id 6ECFC37B416
	for <net@freebsd.org>; Wed, 14 Nov 2001 17:20:31 -0800 (PST)
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id RAA05591;
	Wed, 14 Nov 2001 17:11:28 -0800 (PST)
Date: Wed, 14 Nov 2001 17:11:26 -0800 (PST)
From: Julian Elischer <julian@elischer.org>
To: Chrisy Luke <chrisy@flix.net>
Cc: Julian Elischer <julian@vicor-nb.com>, net@freebsd.org
Subject: Re: RFC: ipfirewall_forward patch
In-Reply-To: <20011115001610.A6212@flix.net>
Message-ID: <Pine.BSF.4.21.0111141707210.4779-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org



On Thu, 15 Nov 2001, Chrisy Luke wrote:
> > > only packets already leaving the system can be hijacked and forwarded
> > > to a 2nd machine. Incoming packets can only be forwarded to local
> > > addresses/port combinations.
> 
> My fault. I was being lazy when I wrote it. :)

Ah it WAS you I committed it for wasn't it? :-)

> 
> > > This patch would allow a sequence of mchines to hijack
> > > a particular conforming packet and pass it allong a chain of
> > > these machine sot make it fall out somewhere else..
> 
> It looks good. The ipfw syntax doesn't quite make sense to me.

They all have different bits masked by  the netmask..

> Also, are you requiring that they all be on the same ipfw rule number?

No, I was lazy..
(cut'n'pasted the rules)

> 
> Writing a script to probe a serving host and alter ipfw rules could be
> done seamlessly if they were on seperate ipfw rules.

well sure.. it's the mechanism not the details I was looking at..
Can you check my logic on the changes.?
I'll be testing it more tonight..


> 
> With a similar trick to move aliases around on a primary ether port,
> it's going to be a doddle to setup a clustered-transparent loadbalancer
> in FreeBSD now. Neat. :)

that's the theory..

Why make a huge complicated program to do it when
you can do it with ipfw :-)


> 
> Cheers,
> Chris.
> -- 
> == chris@easynet.net                                    T: +44 845 333 0122
> == Global IP Network Engineering, Easynet Group PLC     F: +44 845 333 0122
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message