Programming Question: Policy Based Routing

Ivo Vachkov ivo.vachkov at gmail.com
Thu Dec 8 08:43:51 PST 2005


2005/12/8, Claudio Jeker <cjeker at diehard.n-r-g.com>:
> On Thu, Dec 08, 2005 at 01:15:04PM +0200, Ivo Vachkov wrote:
> > > Normally it's the other way around.
> >
> > So be it :)
> >
> > My definition of Policy-Based Routing (PBR): ability make routing
> > decision based on information other than destination IP address in the
> > packet. In my project this "other" information includes source ip
> > address, L4 protocol, tos, packet length.
> >
> > Implementation:
> >
> > Plan 1) This is complex standalone solution implemented entirely in
> > the kernel, plus userland utilities (like the route command). Whole
> > current routing engine will be changed. Instead of Patricia tree I
> > implement a list of data structures, each one including special mask
> > which identifies what field of the IP header are used to match the
> > packet and an AVL tree to store routing information in it. Algorithm
> > is simple:
>
> An AVL tree is far from optimal for route lookups -- think about longest
> prefix matches. It is even worse than a Patricia tree.
> Also doing the packet classification as part of the route lookup is IMO a
> bad idea. Also the linear list that needs to be traversed for every packet
> is very expensive because you can only do one comparison at a time.

I am aware that this part sux :) That's why I'm asking for other
people's opinions.

> > Plan B) *Somehow very Linuxish* Using some sort of packet classifier
> > (for example packet filter matching code) it marks the packet with a
> > some user defined value. Example:
> >     ipfw add mark 10 ip from 192.168.0.0/24 to 192.168.10.0/24
> > and:
> >     pbr_route add -mark 10 $gateway
> > The kernel implementation should check for such marks on every packet
> > and search them in a binary search tree (AVL probably).
> >
> > That's it. Please, excuse my bad english and poor explanations. If you
> > have any questions I'll try to explain better, probably using more
> > examples.
> >
>
> This is a better approach and much simpler. Pf and IPFW have a
> powerful classifier and with tables, states, ...  it is possible to reduce
> the classification time significantly.
>

However this binds the code with some external software. Further more,
what should i use to "mark" packets originating from the host ... at
some point it get too complex to configure, many rules should be to
written just to get it working ...

> --
> :wq Claudio
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>


More information about the freebsd-net mailing list