svn commit: r200183 - head/sbin/ipfw

Lytochkin Boris lytboris at gmail.com
Mon Dec 7 20:30:10 UTC 2009


there are multiple addresses on em0 (for example):

95.108.197.225/27
10.60.128.225/24
10.61.128.225/24
...
10.70.128.225/24

default router is in 95.108.197.225/27 network.

10.X addresses are used for SLB - SLB router does DNAT and forward
client's connection to this node, so node should forward all packets
from 10.X addresses to .254 - SLB router IPs.

ipfw config would be something like
====
ipfw add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out
ipfw add 61 fwd 10.61.128.254 ip from 10.61.128.0/24 to any out
...
ipfw add 70 fwd 10.70.128.254 ip from 10.70.128.0/24 to any out
allow 65534 ip from any to any
====

pf variant will be accordingly
====
scrub in all fragment reassemble
pass in all flags S/SA keep state
pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24
to any flags S/SA keep state
...
pass out quick route-to (em0 10.60.128.254) inet from 10.70.128.0/24
to any flags S/SA keep state
====

My box is a cluster node, not router, just simple policy-based routing required



On Mon, Dec 7, 2009 at 11:21 PM, Ermal Luçi <eri at freebsd.org> wrote:
>
>
> On Mon, Dec 7, 2009 at 8:45 PM, Lytochkin Boris <lytboris at gmail.com> wrote:
>>
>> Hi!
>>
>> On Mon, Dec 7, 2009 at 10:29 PM, Max Laier <max at love2party.net> wrote:
>> [cut]
>> > I just tested an install of r197983 (9.0-CURRENT) that I had on a
>> > test-box and
>> > route-to works as it is supposed to - AFAICT.  FWIW, pf sets sin_len for
>> > every
>> > use.
>> >
>> > Might be a problem/mis-understanding in the OPs configuration that is
>> > the
>> > issue here?
>> >
>> > I'll follow up to the thread on -net@ is a second.
>>
>> I posted my pf config in original message to -net@:
>> =====
>> scrub in all fragment reassemble
>> pass in all flags S/SA keep state
>> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24
>> to any flags S/SA keep state
>> =====
>>
>> Pretty simple. Even when forward is disabled packets that are matched
>> by route-to rule are forwarded to default gateway instead of specified
>> in route-to. And I checked rtalloc_ign_fib() arguments when using pf -
>> seems that pf does not use this function to lookup route-to route.
>>
>> +sem@
>>
>
> My crystal ball is broken.
> Explain your freebsd config, your network topology, some debug output and
> then it can be considered useful.
>
> There are many people using route-to on FreeBSD 8 so it would have come up
> before.
>
>>
>> --
>> Regards,
>> Boris Lytochkin
>
>
>
> --
> Ermal
>


More information about the svn-src-head mailing list