Date: Thu, 23 May 2002 00:18:44 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: rick norman <rick.norman@lmco.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and aliases Message-ID: <20020523001844.B9562@blossom.cjclark.org> In-Reply-To: <3CE3F5A7.FE02E845@lmco.com>; from rick.norman@lmco.com on Thu, May 16, 2002 at 11:08:40AM -0700 References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org> <3CE3F5A7.FE02E845@lmco.com>
index | next in thread | previous in thread | raw e-mail
On Thu, May 16, 2002 at 11:08:40AM -0700, rick norman wrote:
I've been meaning to dig into this a bit more, but haven't had the
time yet. However, I wanted to make some remarks before the holiday
weekend.
> Here is an example (please view in fix point font)
>
> Src Hop1 Hop2 Dest
> -+- -+- -+- -+-
> | | | |
> +---------+----------+----------+
> 10.0.0.1 10.0.0.2
> 10.0.1.1 10.0.1.2
> 10.0.2.1 10.0.2.2
> 10.0.3.1 10.0.3.2
> 10.0.4.2 10.0.4.3
>
> Notes:
> Subnet mask=255.255.255.0 for all
> there is only one NIC in each computer
> All the computers are connected to an ethernet switch.
> We are manually manipulating the routing table on hop2 and hop3 for the destination.
>
> The topology above allows us to get to destination address
> 10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2.
>
> We would like to be able to setup IPFW rules and Dummynet Pipes
> to vary the link quality between hop1 and hop2
> depending on which of the three routes are taken to the destination.
>
> We need a firewall rule that reads like this
>
> 0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1
> 0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1
> 0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1
There are some problems with this format. As we agreed on earlier in
the thread, you cannot know what alias received a packet. The
interfaces gets a packet by its link-layer address, and the alias IP
is no where to be found in the IP datagram. So the rules cannot work
the way you want on incoming packets.
It's only worthwhile to discuss outgoing packets. The next-hop IP
address is _definately_ available to the firewall code. As for the
"source alias" address, it _may_ be available. I've been meaning to
have a closer look at he code, but it has been what has been holding
up my reply. I want to see what address ends up in the ifaddr
structure pointed to in the rtentry; if it's the alias address. If it
is, you could filter outgoing packets in the manner you desire.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020523001844.B9562>