From owner-svn-src-head@FreeBSD.ORG Mon Dec 7 21:00:37 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35090106566B; Mon, 7 Dec 2009 21:00:37 +0000 (UTC) (envelope-from lytboris@gmail.com) Received: from mail-fx0-f209.google.com (mail-fx0-f209.google.com [209.85.220.209]) by mx1.freebsd.org (Postfix) with ESMTP id E438D8FC16; Mon, 7 Dec 2009 21:00:35 +0000 (UTC) Received: by fxm2 with SMTP id 2so2439758fxm.13 for ; Mon, 07 Dec 2009 13:00:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JZz42uKFBog5SLSBVtRKiWUohhdUeqGpvINmFaPS3e8=; b=KO7XfFxwDw/oGNJtjeFF17wazOwDKIsOSEj/qBU7MDe8Dsg294m3TctYCa7OJPa53M Vm5dt9VFNzLfEFDOOvwYUG6yCwI82ehWawYWYIHRyefdpJFWEtKclMKbXw74xxOhUjqa 5+28XPNpefSITeUolZdGlcbv1Na5hPKRXN0fI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=NQnw38n7HeBRSb+PNP4q/CFtT9Peau7T3DNVBOfWprr5A5I6flApQvskESiGJ7orKC tyx8hBis3+Lj3ITC9JkuFx6rdJSdQWoH0MiPuLRgBoDR+bU2L65v6f6/KQc67mh9fqkN ffVzaYQnNoPFCi37jileNuI6qwXM09JXe4N40= MIME-Version: 1.0 Received: by 10.239.138.13 with SMTP id n13mr724547hbn.9.1260219634816; Mon, 07 Dec 2009 13:00:34 -0800 (PST) In-Reply-To: <933fa9790912071230n56f27f5bhcdec44d22a1c5126@mail.gmail.com> References: <200912061804.nB6I4R38027652@svn.freebsd.org> <4B1D437F.4050601@elischer.org> <4B1D4723.5090908@elischer.org> <200912072029.05907.max@love2party.net> <933fa9790912071145k4d97c177qc6f963ba0ffbb13@mail.gmail.com> <9a542da30912071221t289a57a8gdfbb12c8a0b84753@mail.gmail.com> <933fa9790912071230n56f27f5bhcdec44d22a1c5126@mail.gmail.com> Date: Tue, 8 Dec 2009 00:00:34 +0300 Message-ID: <933fa9790912071300u78e22dciec834bb3551311a4@mail.gmail.com> From: Lytochkin Boris To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Luigi Rizzo , src-committers@freebsd.org, svn-src-all@freebsd.org, Julian Elischer , sem@freebsd.org, svn-src-head@freebsd.org, Max Laier Subject: Re: svn commit: r200183 - head/sbin/ipfw X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2009 21:00:37 -0000 Oups, everything is OK with route-to and reply-to in pf, my bad. config for my situation must be like this scrub in all fragment reassemble pass in quick reply-to (em0 10.60.128.254) inet from any to 10.60.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.70.128.254) inet from any to 10.70.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.71.128.254) inet from any to 10.71.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.72.128.254) inet from any to 10.72.128.0/24 flags S/SA keep state pass in quick all flags S/SA keep state or incoming traffic whould create keep-state wit pass in and would not go down to route-to rules. or use per-interface keep states. On Mon, Dec 7, 2009 at 11:30 PM, Lytochkin Boris wrote= : > there are multiple addresses on em0 (for example): > > 95.108.197.225/27 > 10.60.128.225/24 > 10.61.128.225/24 > ... > 10.70.128.225/24 > > default router is in 95.108.197.225/27 network. > > 10.X addresses are used for SLB - SLB router does DNAT and forward > client's connection to this node, so node should forward all packets > from 10.X addresses to .254 - SLB router IPs. > > ipfw config would be something like > =3D=3D=3D=3D > ipfw add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out > ipfw add 61 fwd 10.61.128.254 ip from 10.61.128.0/24 to any out > ... > ipfw add 70 fwd 10.70.128.254 ip from 10.70.128.0/24 to any out > allow 65534 ip from any to any > =3D=3D=3D=3D > > pf variant will be accordingly > =3D=3D=3D=3D > scrub in all fragment reassemble > pass in all flags S/SA keep state > pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 > to any flags S/SA keep state > ... > pass out quick route-to (em0 10.60.128.254) inet from 10.70.128.0/24 > to any flags S/SA keep state > =3D=3D=3D=3D > > My box is a cluster node, not router, just simple policy-based routing re= quired > > > > On Mon, Dec 7, 2009 at 11:21 PM, Ermal Lu=E7i wrote: >> >> >> On Mon, Dec 7, 2009 at 8:45 PM, Lytochkin Boris wro= te: >>> >>> Hi! >>> >>> On Mon, Dec 7, 2009 at 10:29 PM, Max Laier wrote: >>> [cut] >>> > I just tested an install of r197983 (9.0-CURRENT) that I had on a >>> > test-box and >>> > route-to works as it is supposed to - AFAICT. =A0FWIW, pf sets sin_le= n for >>> > every >>> > use. >>> > >>> > Might be a problem/mis-understanding in the OPs configuration that is >>> > the >>> > issue here? >>> > >>> > I'll follow up to the thread on -net@ is a second. >>> >>> I posted my pf config in original message to -net@: >>> =3D=3D=3D=3D=3D >>> scrub in all fragment reassemble >>> pass in all flags S/SA keep state >>> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 >>> to any flags S/SA keep state >>> =3D=3D=3D=3D=3D >>> >>> Pretty simple. Even when forward is disabled packets that are matched >>> by route-to rule are forwarded to default gateway instead of specified >>> in route-to. And I checked rtalloc_ign_fib() arguments when using pf - >>> seems that pf does not use this function to lookup route-to route. >>> >>> +sem@ >>> >> >> My crystal ball is broken. >> Explain your freebsd config, your network topology, some debug output an= d >> then it can be considered useful. >> >> There are many people using route-to on FreeBSD 8 so it would have come = up >> before. >> >>> >>> -- >>> Regards, >>> Boris Lytochkin >> >> >> >> -- >> Ermal >> >