From owner-freebsd-net@FreeBSD.ORG Mon Jan 19 16:24:49 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D309106567F for ; Mon, 19 Jan 2009 16:24:49 +0000 (UTC) (envelope-from lists.br@gmail.com) Received: from mail-gx0-f21.google.com (mail-gx0-f21.google.com [209.85.217.21]) by mx1.freebsd.org (Postfix) with ESMTP id 9C3818FC14 for ; Mon, 19 Jan 2009 16:24:48 +0000 (UTC) (envelope-from lists.br@gmail.com) Received: by gxk14 with SMTP id 14so3164589gxk.19 for ; Mon, 19 Jan 2009 08:24:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:references :subject:date:mime-version:content-type:content-transfer-encoding :x-priority:x-msmail-priority:x-mailer:x-mimeole; bh=y1B+KH9EHI/fkbEY9YAZBI30CHru2prqkmL06Hq99II=; b=hY46+aWZVMHEwq3AIFrcyxBys8PkJRVLosrXx2bVXI+w7WNWp3u4jnjEOPP4lr3Fyh hoxy7D0wXbsIkIrziF+neuJCq7OvJG6SFMVfdufDzhUfl4dFtOSA0XjuQq5Ode901PhS XRwQDN38cGGJwISgn53QNNE/glzFBWAJtI76I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding:x-priority:x-msmail-priority :x-mailer:x-mimeole; b=PGdhCAVJ9uWmIxeN82XS9hgae74vWD+NnNh9rkLozf1pJ+jfsM11uK2m9lpbDOyuJw 8f8Mgmhy0CNUNdjfkDJsRJx4Y9Dkm5pqRrURpHDL6RNEoD+zXtdTXMX8omFnEiqsKsj2 JPSLXP2ZQwfoZFLU4fczuJkOUeM2dx1gMKvu8= Received: by 10.90.88.17 with SMTP id l17mr2469246agb.84.1232382287876; Mon, 19 Jan 2009 08:24:47 -0800 (PST) Received: from adnote989 (189-46-93-120.dsl.telesp.net.br [189.46.93.120]) by mx.google.com with ESMTPS id 5sm3832565agc.10.2009.01.19.08.24.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 19 Jan 2009 08:24:47 -0800 (PST) Message-ID: <8461C1DA26D349A7B4AA821D8461A923@adnote989> From: "Luiz Otavio O Souza" To: "Eduardo Meyer" , , "Julian Elischer" References: <4970DB6C.4030200@elischer.org> Date: Mon, 19 Jan 2009 14:24:43 -0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-Mailman-Approved-At: Mon, 19 Jan 2009 16:35:40 +0000 Cc: Subject: Re: Multiple Routing Tables (FIB) + IPFW problem as (I?) expected X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2009 16:24:49 -0000 >> obviously you did some other commands here.. >> something generated 2 million packets.. > > Julian, its a production enviroment, firewall was up for a few > minutes. Thats the reason. > >> I was thinking of adding a 'reroute' ipfw keyword.. kind of like >> 'fwd {original dest} ip from any to any' >> because 'fwd' does cause the routing decision to be redone. >> >> The fib of the process that opens the socket controls where packets from >> the >> local machine are sent. > > divert does cause this too, not "not fib X" seems to work fine... > > I wish you could make the "setfib" action be kept in state with > keep-state only for the static rules, but I guess it will be done for > all dynamic rules too, since keep-state makes dynamic rules repeat the > static one, right? > > would something like > > ipfw add prob 0.5 setfib 1 all from X to any out keep-state > > be used to balance (per session) between FIB tables? divert ? i think you want to say natd... Again... you are using setfib after the route table decisions... To use natd with setfib you need to setup two instances of natd, one for each uplink interface: ipfw add divert 8668 all from any to any via ${outnic1} ipfw add divert 8669 all from any to any via ${outnic2} And on internal nic: ipfw add setfib 1 tcp from ${inet} to any 80 IN VIA ${iif} So the http traffic will be routed thru fib 1 and should appear on correct uplink interface, and natd can do his the dirty work. I don't known about prob... you will need to send the connection setup packets (for tcp) and subsequent packets through the same link. i don't know if you can achive this with prob + keep-state. Luiz