Date: Mon, 7 Dec 2009 23:30:07 +0300 From: Lytochkin Boris <lytboris@gmail.com> To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> Cc: Luigi Rizzo <luigi@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, Julian Elischer <julian@elischer.org>, sem@freebsd.org, svn-src-head@freebsd.org, Max Laier <max@love2party.net> Subject: Re: svn commit: r200183 - head/sbin/ipfw Message-ID: <933fa9790912071230n56f27f5bhcdec44d22a1c5126@mail.gmail.com> In-Reply-To: <9a542da30912071221t289a57a8gdfbb12c8a0b84753@mail.gmail.com> References: <200912061804.nB6I4R38027652@svn.freebsd.org> <4B1D437F.4050601@elischer.org> <4B1D4723.5090908@elischer.org> <200912072029.05907.max@love2party.net> <933fa9790912071145k4d97c177qc6f963ba0ffbb13@mail.gmail.com> <9a542da30912071221t289a57a8gdfbb12c8a0b84753@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
there are multiple addresses on em0 (for example): 95.108.197.225/27 10.60.128.225/24 10.61.128.225/24 ... 10.70.128.225/24 default router is in 95.108.197.225/27 network. 10.X addresses are used for SLB - SLB router does DNAT and forward client's connection to this node, so node should forward all packets from 10.X addresses to .254 - SLB router IPs. ipfw config would be something like =3D=3D=3D=3D ipfw add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out ipfw add 61 fwd 10.61.128.254 ip from 10.61.128.0/24 to any out ... ipfw add 70 fwd 10.70.128.254 ip from 10.70.128.0/24 to any out allow 65534 ip from any to any =3D=3D=3D=3D pf variant will be accordingly =3D=3D=3D=3D scrub in all fragment reassemble pass in all flags S/SA keep state pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 to any flags S/SA keep state ... pass out quick route-to (em0 10.60.128.254) inet from 10.70.128.0/24 to any flags S/SA keep state =3D=3D=3D=3D My box is a cluster node, not router, just simple policy-based routing requ= ired On Mon, Dec 7, 2009 at 11:21 PM, Ermal Lu=E7i <eri@freebsd.org> wrote: > > > On Mon, Dec 7, 2009 at 8:45 PM, Lytochkin Boris <lytboris@gmail.com> wrot= e: >> >> Hi! >> >> On Mon, Dec 7, 2009 at 10:29 PM, Max Laier <max@love2party.net> wrote: >> [cut] >> > I just tested an install of r197983 (9.0-CURRENT) that I had on a >> > test-box and >> > route-to works as it is supposed to - AFAICT. =A0FWIW, pf sets sin_len= for >> > every >> > use. >> > >> > Might be a problem/mis-understanding in the OPs configuration that is >> > the >> > issue here? >> > >> > I'll follow up to the thread on -net@ is a second. >> >> I posted my pf config in original message to -net@: >> =3D=3D=3D=3D=3D >> scrub in all fragment reassemble >> pass in all flags S/SA keep state >> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 >> to any flags S/SA keep state >> =3D=3D=3D=3D=3D >> >> Pretty simple. Even when forward is disabled packets that are matched >> by route-to rule are forwarded to default gateway instead of specified >> in route-to. And I checked rtalloc_ign_fib() arguments when using pf - >> seems that pf does not use this function to lookup route-to route. >> >> +sem@ >> > > My crystal ball is broken. > Explain your freebsd config, your network topology, some debug output and > then it can be considered useful. > > There are many people using route-to on FreeBSD 8 so it would have come u= p > before. > >> >> -- >> Regards, >> Boris Lytochkin > > > > -- > Ermal >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?933fa9790912071230n56f27f5bhcdec44d22a1c5126>