svn commit: r200183 - head/sbin/ipfw

Lytochkin Boris lytboris at gmail.com
Mon Dec 7 21:00:37 UTC 2009 

Oups, everything is OK with route-to and reply-to in pf, my bad.

config for my situation must be like this
scrub in all fragment reassemble
pass in quick reply-to (em0 10.60.128.254) inet from any to
10.60.128.0/24 flags S/SA keep state
pass in quick reply-to (em0 10.70.128.254) inet from any to
10.70.128.0/24 flags S/SA keep state
pass in quick reply-to (em0 10.71.128.254) inet from any to
10.71.128.0/24 flags S/SA keep state
pass in quick reply-to (em0 10.72.128.254) inet from any to
10.72.128.0/24 flags S/SA keep state
pass in quick all flags S/SA keep state

or incoming traffic whould create keep-state wit pass in and would not
go down to route-to rules.
or use per-interface keep states.

On Mon, Dec 7, 2009 at 11:30 PM, Lytochkin Boris <lytboris at gmail.com> wrote:
> there are multiple addresses on em0 (for example):
>
> 95.108.197.225/27
> 10.60.128.225/24
> 10.61.128.225/24
> ...
> 10.70.128.225/24
>
> default router is in 95.108.197.225/27 network.
>
> 10.X addresses are used for SLB - SLB router does DNAT and forward
> client's connection to this node, so node should forward all packets
> from 10.X addresses to .254 - SLB router IPs.
>
> ipfw config would be something like
> ====
> ipfw add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out
> ipfw add 61 fwd 10.61.128.254 ip from 10.61.128.0/24 to any out
> ...
> ipfw add 70 fwd 10.70.128.254 ip from 10.70.128.0/24 to any out
> allow 65534 ip from any to any
> ====
>
> pf variant will be accordingly
> ====
> scrub in all fragment reassemble
> pass in all flags S/SA keep state
> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24
> to any flags S/SA keep state
> ...
> pass out quick route-to (em0 10.60.128.254) inet from 10.70.128.0/24
> to any flags S/SA keep state
> ====
>
> My box is a cluster node, not router, just simple policy-based routing required
>
>
>
> On Mon, Dec 7, 2009 at 11:21 PM, Ermal Luçi <eri at freebsd.org> wrote:
>>
>>
>> On Mon, Dec 7, 2009 at 8:45 PM, Lytochkin Boris <lytboris at gmail.com> wrote:
>>>
>>> Hi!
>>>
>>> On Mon, Dec 7, 2009 at 10:29 PM, Max Laier <max at love2party.net> wrote:
>>> [cut]
>>> > I just tested an install of r197983 (9.0-CURRENT) that I had on a
>>> > test-box and
>>> > route-to works as it is supposed to - AFAICT.  FWIW, pf sets sin_len for
>>> > every
>>> > use.
>>> >
>>> > Might be a problem/mis-understanding in the OPs configuration that is
>>> > the
>>> > issue here?
>>> >
>>> > I'll follow up to the thread on -net@ is a second.
>>>
>>> I posted my pf config in original message to -net@:
>>> =====
>>> scrub in all fragment reassemble
>>> pass in all flags S/SA keep state
>>> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24
>>> to any flags S/SA keep state
>>> =====
>>>
>>> Pretty simple. Even when forward is disabled packets that are matched
>>> by route-to rule are forwarded to default gateway instead of specified
>>> in route-to. And I checked rtalloc_ign_fib() arguments when using pf -
>>> seems that pf does not use this function to lookup route-to route.
>>>
>>> +sem@
>>>
>>
>> My crystal ball is broken.
>> Explain your freebsd config, your network topology, some debug output and
>> then it can be considered useful.
>>
>> There are many people using route-to on FreeBSD 8 so it would have come up
>> before.
>>
>>>
>>> --
>>> Regards,
>>> Boris Lytochkin
>>
>>
>>
>> --
>> Ermal
>>
>

More information about the svn-src-head mailing list