From owner-freebsd-net@FreeBSD.ORG Wed Jan 25 16:14:57 2006 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2469A16A41F for ; Wed, 25 Jan 2006 16:14:57 +0000 (GMT) (envelope-from subscriber@osk.com.ua) Received: from gandalf.osk.com.ua (osk.com.ua [195.5.17.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id B620643D58 for ; Wed, 25 Jan 2006 16:14:50 +0000 (GMT) (envelope-from subscriber@osk.com.ua) Received: from localhost (localhost [127.0.0.1]) by gandalf.osk.com.ua (Postfix) with ESMTP id AFA0E78C25 for ; Wed, 25 Jan 2006 18:16:24 +0200 (EET) Received: from gandalf.osk.com.ua ([127.0.0.1]) by localhost (gandalf.osk.com.ua [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47235-04 for ; Wed, 25 Jan 2006 18:16:24 +0200 (EET) Received: from OLEG (unknown [192.168.82.111]) by gandalf.osk.com.ua (Postfix) with ESMTP id E70FD78C21 for ; Wed, 25 Jan 2006 18:16:23 +0200 (EET) Date: Wed, 25 Jan 2006 18:19:55 +0200 From: Oleg Tarasov X-Mailer: The Bat! (v3.64.01 Christmas Edition) Professional X-Priority: 3 (Normal) Message-ID: <898692010.20060125181955@osk.com.ua> To: freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at osk.com.ua Cc: Subject: Policy routing and multipath routing needed (override routing table) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: FreeBSD MailList List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 16:14:57 -0000 Hello, Many people know how to engage policy routing using ipfw forward function. This can be successfully used on simple routers (not NAT gateways) and to make gateways with multiple internet connections provide services (such as DNS, mail etc) on all interfaces. But the difficulty comes when the box itself is the source of packets. For example when mail server sends mail to another server. In this case the source ip of packets is calculated using routing table based on the destination address. These packets can't be correctly routed using policy as in this case we should probably pass these packets through NAT that is not always acceptable and is difficult to perform using standart tools as forwarded packets are not injected into firewall to be diverted through NAT. The easiest way to show this need is a simple planning of interface load division between internet interfaces based on services (for ex. proxy, dns, mail, ftp etc). In this case simple routing table can not provide what we need. The second thing to be mentioned is known as multipath routing. It is a special situation of policy routing but is more easy to develope. It can solve some problems too. I have found a mentioning of developing these functions as "planned" by FreeBSD developers in march 2004 (http://kerneltrap.org/node/2593). The obvious solution of this problem lies in using of Cisco router but this is not good for medium-size business organization due to lack of funds (you know those bosses) as thas router costs like another routing machine ;) It would be great to hear from core team of their plans regarding this network stack changes. There is another problem. In my opinion it should be great to make one more attribute to routes in routing table indicating of their activity/inactivity. The source of this problem is that all static routes on reconfigured interface are deleted as ip changes. If this reconfiguration occurs we need to recreate these routes again. It would be great if they would persisted and for that time were "inactive". One of the solutions in this case would be a tool for monitoring interface state able to activate some script on state change. This would be great for failover for example. Please enlight me and tell if there is any. -- Best regards, Oleg Tarasov mailto:subscriber@osk.com.ua