Multiple Routing Tables (FIB) + IPFW problem as (I?) expected

Luiz Otavio O Souza lists.br at gmail.com
Wed Jan 21 09:34:09 PST 2009 

>>>> obviously you did some other commands here..
>>>> something generated 2 million packets..
>>>
>>> Julian, its a production enviroment, firewall was up for a few
>>> minutes. Thats the reason.
>>>
>>>> I was thinking of adding a 'reroute' ipfw keyword.. kind of like
>>>> 'fwd {original dest} ip from any to any'
>>>> because 'fwd' does cause the routing decision to be redone.
>>>>
>>>> The fib of the process that opens the socket controls where packets 
>>>> from
>>>> the
>>>> local machine are sent.
>>>
>>> divert does cause this too, not "not fib X" seems to work fine...
>>>
>>> I wish you could make the "setfib" action be kept in state with
>>> keep-state only for the static rules, but I guess it will be done for
>>> all dynamic rules too, since keep-state makes dynamic rules repeat the
>>> static one, right?
>>>
>>> would something like
>>>
>>> ipfw add prob 0.5 setfib 1 all from X to any out keep-state
>>>
>>> be used to balance (per session) between FIB tables?
>>
>> divert ? i think you want to say natd...
>>
>> Again... you are using setfib after the route table decisions...
>>
>> To use natd with setfib you need to setup two instances of natd, one for
>> each uplink interface:
>>
>> ipfw add divert 8668 all from any to any via ${outnic1}
>> ipfw add divert 8669 all from any to any via ${outnic2}
>>
>> And on internal nic:
>>
>> ipfw add setfib 1 tcp from ${inet} to any 80 IN VIA ${iif}
>>
>> So the http traffic will be routed thru fib 1 and should appear on 
>> correct
>> uplink interface, and natd can do his the dirty work.
>>
>> I don't known about prob... you will need to send the connection setup
>> packets (for tcp) and subsequent packets through the same link. i don't 
>> know
>> if you can achive this with prob + keep-state.
>>
>> Luiz
>>
>
> Yes, you are right. Now its way easier to do policy routing and
> advanced PBR. However Im still trying to balance outgoing traffic
> throught multiple FIBs, per session. But
>
> add prob 0.5 setfib 1 tcp from ${inet} to any 80 in via ${iif} setup 
> keep-state
>
> is not working as I expected...
>
> Some sessions just fail. I guess I need some special behavior on the
> "keep-state" action.
>

Have you tried the check-state rule ? just an educated guess... no real clue 
about that... sorry.

You will need to dig by yourself on this... take a closer look at dynamics 
rules created by your rule and try to determine the better way to achive 
what you want.

Luiz

More information about the freebsd-net mailing list