obviously you did some other commands here..
something generated 2 million packets..
Julian, its a production enviroment, firewall was up for a few
minutes. Thats the reason.
I was thinking of adding a 'reroute' ipfw keyword.. kind of like
'fwd {original dest} ip from any to any'
because 'fwd' does cause the routing decision to be redone.
The fib of the process that opens the socket controls where packets
from
the
local machine are sent.
divert does cause this too, not "not fib X" seems to work fine...
I wish you could make the "setfib" action be kept in state with
keep-state only for the static rules, but I guess it will be done for
all dynamic rules too, since keep-state makes dynamic rules repeat the
static one, right?
would something like
ipfw add prob 0.5 setfib 1 all from X to any out keep-state
be used to balance (per session) between FIB tables?
divert ? i think you want to say natd...
Again... you are using setfib after the route table decisions...
To use natd with setfib you need to setup two instances of natd, one for
each uplink interface:
ipfw add divert 8668 all from any to any via ${outnic1}
ipfw add divert 8669 all from any to any via ${outnic2}
And on internal nic:
ipfw add setfib 1 tcp from ${inet} to any 80 IN VIA ${iif}
So the http traffic will be routed thru fib 1 and should appear on
correct
uplink interface, and natd can do his the dirty work.
I don't known about prob... you will need to send the connection setup
packets (for tcp) and subsequent packets through the same link. i don't
know
if you can achive this with prob + keep-state.
Luiz
Yes, you are right. Now its way easier to do policy routing and
advanced PBR. However Im still trying to balance outgoing traffic
throught multiple FIBs, per session. But
add prob 0.5 setfib 1 tcp from ${inet} to any 80 in via ${iif} setup
keep-state
is not working as I expected...
Some sessions just fail. I guess I need some special behavior on the
"keep-state" action.
Have you tried the check-state rule ? just an educated guess... no real clue
about that... sorry.
You will need to dig by yourself on this... take a closer look at dynamics
rules created by your rule and try to determine the better way to achive
what you want.
Luiz
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
