Date: Wed, 26 Jun 2002 12:28:58 -0700 From: rick norman <rick.norman@lmco.com> To: freebsd-ipfw@freebsd.org Subject: Re: ipfw and aliases Message-ID: <3D1A15F9.7589DCE7@lmco.com> References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org> <3CE3F5A7.FE02E845@lmco.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Did this issue ever get resolved or is there some hope it can be incorporated ? rick norman wrote: > > > Here is an example (please view in fix point font) > > Src Hop1 Hop2 Dest > -+- -+- -+- -+- > | | | | > +---------+----------+----------+ > 10.0.0.1 10.0.0.2 > 10.0.1.1 10.0.1.2 > 10.0.2.1 10.0.2.2 > 10.0.3.1 10.0.3.2 > 10.0.4.2 10.0.4.3 > > Notes: > Subnet mask=255.255.255.0 for all > there is only one NIC in each computer > All the computers are connected to an ethernet switch. > We are manually manipulating the routing table on hop2 and hop3 for > the destination. > > The topology above allows us to get to destination address > 10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2. > > We would like to be able to setup IPFW rules and Dummynet Pipes > to vary the link quality between hop1 and hop2 > depending on which of the three routes are taken to the destination. > > We need a firewall rule that reads like this > > 0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1 > 0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1 > 0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1 > > The problem is that currently the via 10.0.1.1 and 10.0.2.1 and > 10.0.3.1 all resolve to the same > interface and therefore onpy pipe 1 is used. That's why I would like > subnets to be used > instread of the interface to which they resolve. Actually, I think > the via qualifier would make > more sense if it was able differentiate subnets. If you have any way > of making this work please > let me know. > > Thanks, > Rick Norman > > > "Crist J. Clark" wrote: > >> On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote: >> > I'm probably giving too little detail. Basically I'm configuring >> bsd 4.5 >> > as an intermediate node router in a fairly complex topology. The >> different >> > aliases on an interface allow me to take different paths through >> this topology >> > based on the subnets. What I want to do is apply different >> characteristics >> > to multiple data streams based on the subnet they take leaving my >> router. >> > The pkt only has src and des ip which says nothing about the path >> the routing >> > protocols have picked. >> >> What information are the routing protocols using besides the >> destination IP? >> >> > The rules that I see available in the ipfw would catch >> > all the aliases leaving on an interface with no differentiation. >> >> Because there is no difference. The only information available on a >> packet being forwarded are the interface it came in on, the >> interface >> it is going out of, the next hop, and of course the data in the >> packet >> itself (the source and destination IPs). I'm not sure what other >> information you are trying to tap into. >> >> > It seems that >> > another key word, similar to the 'via' qualifier would allow me to >> individually >> > grab the outbound aliases. The needed info is available in the >> routing table >> > in the form of the next hop router, I just don't see a way to grab >> a pkt based >> > on the next hop address or the outbound subnet. >> >> Examining the next hop address on outgoing packets is not a big >> deal. >> It would be straight forward to add it to ipfw(8). But I'm still not >> >> sure what it has to do with local alias addresses. >> -- >> Crist J. Clark | cjclark@alum.mit.edu >> | cjclark@jhu.edu >> http://people.freebsd.org/~cjc/ | cjc@freebsd.org > -- One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. wk: 408 742 1619 rick.norman@lmco.com hm: 650 726 0677 rnorman@ikaika.com cell: 650 303 3877 --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> Did this issue ever get resolved or is there some hope it can be incorporated ? <br> <p>rick norman wrote: <blockquote TYPE=CITE> <p><tt>Here is an example (please view in fix point font)</tt> <p><tt>Src Hop1 Hop2 Dest</tt> <br><tt>-+- -+- -+- -+-</tt> <br><tt> | | | |</tt> <br><tt> +---------+----------+----------+</tt> <br><tt>10.0.0.1 10.0.0.2</tt> <br><tt> 10.0.1.1 10.0.1.2</tt> <br><tt> 10.0.2.1 10.0.2.2</tt> <br><tt> 10.0.3.1 10.0.3.2</tt> <br><tt> 10.0.4.2 10.0.4.3</tt> <p><tt>Notes:</tt> <br><tt>Subnet mask=255.255.255.0 for all</tt> <br><tt>there is only one NIC in each computer</tt> <br><tt>All the computers are connected to an ethernet switch.</tt> <br><tt>We are manually manipulating the routing table on hop2 and hop3 for the destination.</tt> <p><tt>The topology above allows us to get to destination address</tt> <br><tt>10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2.</tt> <p><tt>We would like to be able to setup IPFW rules and Dummynet Pipes</tt> <br><tt>to vary the link quality between hop1 and hop2</tt> <br><tt>depending on which of the three routes are taken to the destination.</tt> <p><tt>We need a firewall rule that reads like this</tt> <p><tt>0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1</tt> <br><tt>0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1</tt> <br><tt>0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1</tt> <p><tt>The problem is that currently the via 10.0.1.1 and 10.0.2.1 and 10.0.3.1 all resolve to the same</tt> <br><tt>interface and therefore onpy pipe 1 is used. That's why I would like subnets to be used</tt> <br><tt>instread of the interface to which they resolve. Actually, I think the via qualifier would make</tt> <br><tt>more sense if it was able differentiate subnets. If you have any way of making this work please</tt> <br><tt>let me know.</tt> <p><tt>Thanks,</tt> <br><tt>Rick Norman</tt> <br> <p><tt>"Crist J. Clark" wrote:</tt> <blockquote TYPE=CITE><tt>On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote:</tt> <br><tt>> I'm probably giving too little detail. Basically I'm configuring bsd 4.5</tt> <br><tt>> as an intermediate node router in a fairly complex topology. The different</tt> <br><tt>> aliases on an interface allow me to take different paths through this topology</tt> <br><tt>> based on the subnets. What I want to do is apply different characteristics</tt> <br><tt>> to multiple data streams based on the subnet they take leaving my router.</tt> <br><tt>> The pkt only has src and des ip which says nothing about the path the routing</tt> <br><tt>> protocols have picked.</tt> <p><tt>What information are the routing protocols using besides the</tt> <br><tt>destination IP?</tt> <p><tt>> The rules that I see available in the ipfw would catch</tt> <br><tt>> all the aliases leaving on an interface with no differentiation.</tt> <p><tt>Because there is no difference. The only information available on a</tt> <br><tt>packet being forwarded are the interface it came in on, the interface</tt> <br><tt>it is going out of, the next hop, and of course the data in the packet</tt> <br><tt>itself (the source and destination IPs). I'm not sure what other</tt> <br><tt>information you are trying to tap into.</tt> <p><tt>> It seems that</tt> <br><tt>> another key word, similar to the 'via' qualifier would allow me to individually</tt> <br><tt>> grab the outbound aliases. The needed info is available in the routing table</tt> <br><tt>> in the form of the next hop router, I just don't see a way to grab a pkt based</tt> <br><tt>> on the next hop address or the outbound subnet.</tt> <p><tt>Examining the next hop address on outgoing packets is not a big deal.</tt> <br><tt>It would be straight forward to add it to ipfw(8). But I'm still not</tt> <br><tt>sure what it has to do with local alias addresses.</tt> <br><tt>--</tt> <br><tt>Crist J. Clark | cjclark@alum.mit.edu</tt> <br><tt> | cjclark@jhu.edu</tt> <br><tt><a href="http://people.freebsd.org/~cjc/">http://people.freebsd.org/~cjc/</a> | cjc@freebsd.org</tt></blockquote> </blockquote> <p>-- <br>One Unix to rule them all, One Resolver to find them, <br>One IP to bring them all and in the zone to bind them. <p>wk: 408 742 1619 <br>rick.norman@lmco.com <br>hm: 650 726 0677 <br>rnorman@ikaika.com <br>cell: 650 303 3877 <br> </html> --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1A15F9.7589DCE7>