Date: Thu, 16 May 2002 11:08:40 -0700 From: rick norman <rick.norman@lmco.com> To: cjclark@alum.mit.edu Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and aliases Message-ID: <3CE3F5A7.FE02E845@lmco.com> References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary_(ID_9NyJBOx3ELrSQmKY8PK+BA)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Here is an example (please view in fix point font)
Src Hop1 Hop2 Dest
-+- -+- -+- -+-
| | | |
+---------+----------+----------+
10.0.0.1 10.0.0.2
10.0.1.1 10.0.1.2
10.0.2.1 10.0.2.2
10.0.3.1 10.0.3.2
10.0.4.2 10.0.4.3
Notes:
Subnet mask=255.255.255.0 for all
there is only one NIC in each computer
All the computers are connected to an ethernet switch.
We are manually manipulating the routing table on hop2 and hop3 for the destination.
The topology above allows us to get to destination address
10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2.
We would like to be able to setup IPFW rules and Dummynet Pipes
to vary the link quality between hop1 and hop2
depending on which of the three routes are taken to the destination.
We need a firewall rule that reads like this
0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1
0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1
0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1
The problem is that currently the via 10.0.1.1 and 10.0.2.1 and 10.0.3.1 all resolve
to the same
interface and therefore onpy pipe 1 is used. That's why I would like subnets to be
used
instread of the interface to which they resolve. Actually, I think the via qualifier
would make
more sense if it was able differentiate subnets. If you have any way of making this
work please
let me know.
Thanks,
Rick Norman
"Crist J. Clark" wrote:
> On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote:
> > I'm probably giving too little detail. Basically I'm configuring bsd 4.5
> > as an intermediate node router in a fairly complex topology. The different
> > aliases on an interface allow me to take different paths through this topology
> > based on the subnets. What I want to do is apply different characteristics
> > to multiple data streams based on the subnet they take leaving my router.
> > The pkt only has src and des ip which says nothing about the path the routing
> > protocols have picked.
>
> What information are the routing protocols using besides the
> destination IP?
>
> > The rules that I see available in the ipfw would catch
> > all the aliases leaving on an interface with no differentiation.
>
> Because there is no difference. The only information available on a
> packet being forwarded are the interface it came in on, the interface
> it is going out of, the next hop, and of course the data in the packet
> itself (the source and destination IPs). I'm not sure what other
> information you are trying to tap into.
>
> > It seems that
> > another key word, similar to the 'via' qualifier would allow me to individually
> > grab the outbound aliases. The needed info is available in the routing table
> > in the form of the next hop router, I just don't see a way to grab a pkt based
> > on the next hop address or the outbound subnet.
>
> Examining the next hop address on outgoing packets is not a big deal.
> It would be straight forward to add it to ipfw(8). But I'm still not
> sure what it has to do with local alias addresses.
> --
> Crist J. Clark | cjclark@alum.mit.edu
> | cjclark@jhu.edu
> http://people.freebsd.org/~cjc/ | cjc@freebsd.org
--Boundary_(ID_9NyJBOx3ELrSQmKY8PK+BA)
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7BIT
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<tt></tt> <tt></tt>
<p><tt>Here is an example (please view in fix point font)</tt>
<br><tt> </tt>
<br><tt>Src Hop1
Hop2 Dest</tt>
<br><tt>-+- -+-
-+- -+-</tt>
<br><tt> | |
| |</tt>
<br><tt> +---------+----------+----------+</tt>
<br><tt>10.0.0.1 10.0.0.2</tt>
<br><tt> 10.0.1.1
10.0.1.2</tt>
<br><tt> 10.0.2.1
10.0.2.2</tt>
<br><tt> 10.0.3.1
10.0.3.2</tt>
<br><tt>
10.0.4.2 10.0.4.3</tt>
<br><tt> </tt>
<br><tt>Notes:</tt>
<br><tt>Subnet mask=255.255.255.0 for all</tt>
<br><tt>there is only one NIC in each computer</tt>
<br><tt>All the computers are connected to an ethernet switch.</tt>
<br><tt>We are manually manipulating the routing table on hop2 and hop3
for the destination.</tt>
<br><tt> </tt>
<br><tt>The topology above allows us to get to destination address</tt>
<br><tt>10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2.</tt>
<br><tt> </tt>
<br><tt>We would like to be able to setup IPFW rules and Dummynet Pipes</tt>
<br><tt>to vary the link quality between hop1 and hop2</tt>
<br><tt>depending on which of the three routes are taken to the destination.</tt>
<br><tt> </tt>
<br><tt>We need a firewall rule that reads like this</tt>
<br><tt> </tt>
<br><tt>0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1</tt>
<br><tt>0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1</tt>
<br><tt>0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1</tt>
<br><tt> </tt>
<br><tt>The problem is that currently the via 10.0.1.1 and 10.0.2.1 and
10.0.3.1 all resolve to the same</tt>
<br><tt>interface and therefore onpy pipe 1 is used. That's why I
would like subnets to be used</tt>
<br><tt>instread of the interface to which they resolve. Actually,
I think the via qualifier would make</tt>
<br><tt>more sense if it was able differentiate subnets. If you have any
way of making this work please</tt>
<br><tt>let me know.</tt><tt></tt>
<p><tt>Thanks,</tt>
<br><tt>Rick Norman</tt>
<br><tt> </tt><tt></tt>
<p><tt>"Crist J. Clark" wrote:</tt>
<blockquote TYPE=CITE><tt>On Tue, May 14, 2002 at 01:45:10PM -0700, rick
norman wrote:</tt>
<br><tt>> I'm probably giving too little detail. Basically I'm configuring
bsd 4.5</tt>
<br><tt>> as an intermediate node router in a fairly complex topology.
The different</tt>
<br><tt>> aliases on an interface allow me to take different paths through
this topology</tt>
<br><tt>> based on the subnets. What I want to do is apply different
characteristics</tt>
<br><tt>> to multiple data streams based on the subnet they take leaving
my router.</tt>
<br><tt>> The pkt only has src and des ip which says nothing about the
path the routing</tt>
<br><tt>> protocols have picked.</tt><tt></tt>
<p><tt>What information are the routing protocols using besides the</tt>
<br><tt>destination IP?</tt><tt></tt>
<p><tt>> The rules that I see available in the ipfw would catch</tt>
<br><tt>> all the aliases leaving on an interface with no differentiation.</tt><tt></tt>
<p><tt>Because there is no difference. The only information available on
a</tt>
<br><tt>packet being forwarded are the interface it came in on, the interface</tt>
<br><tt>it is going out of, the next hop, and of course the data in the
packet</tt>
<br><tt>itself (the source and destination IPs). I'm not sure what other</tt>
<br><tt>information you are trying to tap into.</tt><tt></tt>
<p><tt>> It seems that</tt>
<br><tt>> another key word, similar to the 'via' qualifier would allow
me to individually</tt>
<br><tt>> grab the outbound aliases. The needed info is available
in the routing table</tt>
<br><tt>> in the form of the next hop router, I just don't see a way to
grab a pkt based</tt>
<br><tt>> on the next hop address or the outbound subnet.</tt><tt></tt>
<p><tt>Examining the next hop address on outgoing packets is not a big
deal.</tt>
<br><tt>It would be straight forward to add it to ipfw(8). But I'm still
not</tt>
<br><tt>sure what it has to do with local alias addresses.</tt>
<br><tt>--</tt>
<br><tt>Crist J. Clark
| cjclark@alum.mit.edu</tt>
<br><tt>
| cjclark@jhu.edu</tt>
<br><tt><a href="http://people.freebsd.org/~cjc/">http://people.freebsd.org/~cjc/</a>
| cjc@freebsd.org</tt></blockquote>
<tt></tt></html>
--Boundary_(ID_9NyJBOx3ELrSQmKY8PK+BA)--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CE3F5A7.FE02E845>