From owner-freebsd-stable Wed Dec 4 12:20:40 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8496D37B401; Wed, 4 Dec 2002 12:20:38 -0800 (PST) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5A6843EC2; Wed, 4 Dec 2002 12:20:37 -0800 (PST) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id ; Wed, 4 Dec 2002 15:20:36 -0500 Message-ID: From: Don Bowman To: Don Bowman , "'freebsd-net@freebsd.org'" Cc: "'freebsd-stable@freebsd.org'" Subject: RE: SO_DONTROUTE, arp's, ipfw fwd, etc Date: Wed, 4 Dec 2002 15:20:28 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > From: Don Bowman [mailto:don@sandvine.com] > I have a setup where I have a transparent proxy using ipfw fwd (to > localhost). > Data is sent to this device using a MAC rewrite so that > packets arrive with > my MAC, but the original source and destination IP. > When I receive the SYN, i accept the connection, which causes an ARP > to be emitted for the source address, and then the SYN/ACK. I didn't get much response from this, so I'm going to re-phrase. Is there any reason that I shouldn't modify the TCP passive accept so that it remembers both the MAC address of the sender, and the interface the packet came in on? By doing so, I will avoid having to issue an ARP for each incoming connection (which adds latency, and more importantly for me, breaks the ability to use ipfw 'fwd' rules the way I want). [This is with FreeBSD 4.7 if it matters]. What's happening is I have >1 router feeding me sessions which I'm transparently proxying (e.g. squid). Obviously I can't have a default route back to each of them. So I have something like: [Router1]---\ \ [Router2]--------[BSD] / [Router3]---/ This is done with a layer-2 mac rewrite, ie the router takes the packet, doesn't modify the IP header, but changes the destination MAC to be that of the BSD machine. So, e.g, a packet comes into router1 above (from somewhere on its left hand side). It may have IPsrc=1.0.0.1, IPdst=2.0.0.1. It then arrives @ the BSD machine, which will cheerfully say, yup, I'm 2.0.0.1 (using the beauty of 'ipfw fwd localhost...'). Problem is, it then wants to send a SYN/ACK, there's no route, so no where to go. I can't make the route be one of those routers, and the routing tables are too complicated to install (since there may be BGP on the left of them, etc, etc). Its important for me the response packets go back through the same path (to avoid reordering etc). The next step for me is to use a separate VLAN from each of those routers to the BSD box (so that the packets appear to come from different interfaces). I'd like to memorize the interface the packet came in, and the mac header to use, and just use that without making an enormous arp table, and going back to the place the SYN came from. Is there a reason it doesn't work this way currently (before I dive in and make changes). If I were to change it to work the way I want, would other people be interested? Would this be interesting as a whole-sale change in behaviour, or as a sysctl-changeable or #ifdef settable? Comments greatly appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message