From owner-freebsd-net@FreeBSD.ORG Tue Feb 8 15:46:12 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A54416A4CE; Tue, 8 Feb 2005 15:46:12 +0000 (GMT) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5633443D45; Tue, 8 Feb 2005 15:46:11 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id AACA0BC098; Tue, 8 Feb 2005 17:46:09 +0200 (EET) Received: from R3B (unknown [62.38.168.185])by smtp.freemail.gr (Postfix) with ESMTP id B8386BC023;Tue, 8 Feb 2005 17:46:08 +0200 (EET) Message-ID: <000a01c50df5$4a4435e0$3c00000a@R3B> From: "Chris Dionissopoulos" To: Date: Tue, 8 Feb 2005 17:45:59 +0200 MIME-Version: 1.0 Content-Type: text/plain;format=flowed;charset="iso-8859-7"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org Subject: Sticky pf(4)-like feature in ipfw? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Dionissopoulos List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 15:46:12 -0000 Hi, I think of adding a new feature in (my local copy) ipfw (releng5) so that it makes also sticky match when forwarding broken protocols like ftp, h.323, sip, etc. Its inspired from pf(4) sticky feature as is.The general usage will be for "skipto" forwarding rules as shown in example below: Network ASCII-ART: Gateway1 Gateway2 | | ---------------- 192.168.1.0/24 | [Freebsd-ipfw] | ---------------- 192.168.3.0/24 ipfw.sh: ~~~~~~~~~~~~~~~~~~~~~~ #!/bin/sh fwcmd="/sbin/ipfw" pass="skipto 65535" gateway_mac1 ="00:0e:2e:03:36:23" gateway_mac2 ="00:0e:2e:03:37:23" gateway1="192.168.1.2" gateway2 ="192.168.1.1" lan_network = "192.168.3.0/24" broken="20,21,1720,6667,4600-4700" #CHECK STATES. ${fwcmd} add 100 check-state # INCOMING TRAFFIC ${fwcmd} add 1100 skipto 10100 ip from any to any mac any ${gateway_mac1}in recv rl0 keep-state ${fwcmd} add 1200 skipto 10200 ip from any to any mac any ${gateway_mac1}in recv rl0 keep-state #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%] ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not ${lan_network} dst-port ${broken} in recv rl1 keep-sticky ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not ${lan_network}dst-port ${broken} in recv rl1 keep-sticky #OUTGOING + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%] ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not ${lan_network}in recv rl1 keep-state ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not ${lan_network}in recv rl1 keep-state #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not ${lan_network} in recv rl1 ${fwcmd} add 10110 ${pass} ip from any to any #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not ${lan_network} in recv rl1 ${fwcmd} add 10210 ${pass} ip from any to any ~~~~~~~~~~~~~~~~~~~~~~ "keep-sticky" main difference with "keep-state" is just relaxed state matching using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and not (scr_ip:src_port + dst_ip:dst_port) straight and reversed (=keep-state/limit). My question : Does anyone has already working on such feature? Cause its pretty easy to implement(*) "keep-sticky", does any of ipfw developers planning to add such feature in near future? Thanks, Chris. (*) 1. TOK_KEEPSTICKY in /usr/src/sbin/ipfw/ipfw2.c O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h and copy TOK_KEEPSTATE+O_KEEPSTATE code as a new case of cmd+rule argument. 2. Some changes in "lookup_dyn_rule_locked" function of /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state when "keep-sticky" is enabled. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking.