From owner-freebsd-net@FreeBSD.ORG Wed Jan 21 06:25:58 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E100716A4CE for ; Wed, 21 Jan 2004 06:25:58 -0800 (PST) Received: from mail.butovo-online.ru (mail.b-o.ru [212.5.78.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7233043D2D for ; Wed, 21 Jan 2004 06:25:57 -0800 (PST) (envelope-from resident@b-o.ru) Received: from [192.168.92.185] (helo=192.168.92.185) by mail.butovo-online.ru with esmtp (Exim 4.24) id 1AjJPZ-000EX1-EM for freebsd-net@freebsd.org; Wed, 21 Jan 2004 17:32:53 +0300 Date: Wed, 21 Jan 2004 17:27:22 +0300 From: Andrew Riabtsev X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <172109099707.20040121172722@b-o.ru> To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: netgraph: bridge with fwd and divert X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrew Riabtsev List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 14:25:59 -0000 Hi, All I'm trying to let my FreeBSD 4.9 box, working as bridge, divert and fwd bridged packets. As i undestand it is not realized in FreeBSD 4.9. I was thinking about to do it (realize), but im too lazy and when i see this huge amount of work i start thinking :) Befor i continue my work i just want u to look at what come on my mind and tell me what you think about it. Maybe i missed something and it wont work and so on... Thats came on my mind. If we cant realize fwd and divert on bridged packets lets just send packets we need to layer 3 and let system fwd and divert them as other layer 3 packets. And here is the plan: for example, we have box with 2 ethernet devices: fxp0 and fxp1, have one ip 64.64.64.64/24 on fxp0 and default gw to 64.64.64.1 Lets make the following netgraph: +------+ lower +---------+ left +---------------+ right +------+ | fxp1 |<----->|ng_bridge|<----->|ng_ether_divert|<------->| fxp0 | +------+ link0 +---------+ link1 +---------------+ lower +------+ /\ /\ || upper || +---------------------+ divert point is that ng_ether_divert (the one im working on) analyze packets coming from left and right hooks and checks set of rules if it should be send to divert hook, if no packet sends to left hook if come for right and to the right if come from left. And so with packets came from divert hook if there is a rule to send packet to the right hook packet sends if no rule - to the left. And rule format is src_ip, dst_ip, masks, proto, src_port, dst_port, some flags for NOT extentions in address, ports and poroto, from_hook (came from), to_hook (should be send to). So how it should work: if no rules everything works just like bridge should work with ng_bridge, but when adding the following rules: ip from 192.168.0.0/16 to 0.0.0.0/0 via left --> divert (packets from private network sends to layer 3 for divert and/or fwd in kernel using ipfw) ip from 0.0.0.0/0 to 64.64.64.64/32 from left -->divert ip from 0.0.0.0/0 to 64.64.64.64/32 from right -->divert (let box get packets directed to it) ip from 0.0.0.0/0 to ip_u_want_to_be_send from divert --->hook_on_what_that_ip_should_be (ether route to other hosts in local ethernet and gateways on other known local routes (layer3)) ip from 0.0.0.0/0 to 0.0.0.0/0 from divert --->right (default ether gateway :) just send other packets to the interfase where default (layer3) gateway placed) -- With best regards, Andrew mailto:resident@b-o.ru