Date: Wed, 14 Nov 2001 16:04:41 -0800 From: Julian Elischer <julian@vicor-nb.com> To: net@freebsd.org Subject: RFC: ipfirewall_forward patch Message-ID: <3BF30699.E8CC9857@vicor-nb.com>
next in thread | raw e-mail | index | archive | help
The following patch is expected to
allow the forwarding of INCOMING packets to an arbitrary next hop
controlled by the ipfw fwd command..
Ipfw 'fwd' at present has teh following restriction:
only packets already leaving the system can be hijacked and forwarded
to a 2nd machine. Incoming packets can only be forwarded to local
addresses/port combinations.
This patch would allow a sequence of mchines to hijack
a particular conforming packet and pass it allong a chain of
these machine sot make it fall out somewhere else..
the particular example I have in mind:
[internet]---[A.b.c.d]-------[10.2.3.4]
\---------[10.2.3.5]
\---------[10.2.3.6]
\---------[10.2.3.7]
on A.b.c.d:
ipfw add 1000 fwd 10.2.3.4 tcp from 0.0.0.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.5 tcp from 0.0.1.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.6 tcp from 0.0.2.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
ipfw add 1000 fwd 10.2.3.7 tcp from 0.0.3.0:0.0.3.0 to A.b.c.d 80 in
recv fxp0
and on each of the four machines:
ipfw add 1000 fwd localhost tcp from any to A.b.c.d 80 in recv fxp0
this is a 4 -way load sharing setup sharing
http load across 4 machines (in our case proxies)
implemented in 5 lines of ipfw.
To the external world it would look as if all requests are being
satisfied
by A.b.c.d:80.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BF30699.E8CC9857>