Source-based routing w/ FreeBSD ?
Shadow Hawkins on Sunday, 05 October 2003 12:01:31
Hello,
to avoid running into anti-spoofing packet filters I would like to control the outgoing interface depending on the source address.
Running a FBSD 4.8 box the way to do this in IPv4 is using the "forward (fwd)" statement in the "ipfw" filter. But I cannot find anything similar for "ip6fw".
Q1: is there any alternative way to deal with this?
Q2: does anyone know if this has been implemented in a newer FBSD code?
Thanks & Regards,
Marc
Source-based routing w/ FreeBSD ?
Jeroen Massar on Sunday, 05 October 2003 13:37:05 Q1: is there any alternative way to deal with this?
Fix your routing or just use one prefix.
Q2: does anyone know if this has been implemented in a newer FBSD code?
Yes.... it isn't unfortunatly. Linux does have it for IPv4 also but not for IPv6.
Solved (was Source-based routing w/ FreeBSD)
Shadow Hawkins on Sunday, 12 October 2003 01:30:28
All right,
I understood Jeroen's answer as "if you need it, code it!" - so I coded :)
On ftp://ftp.sniff.de/pub/ipv6/ I've stored "FBSD48-PBR-v10patch" which is the patch for the "ip6fw" program and the kernel. See also the README file.
The new code allows the use of the "forward" statement in the ip6fw packet filter for outgoing packets and thus allows source-based routing (or "policy-based routing" if you are marketing-empowered).
The new kernel runs stable for two days now on my "production" server. The code (and the server ;-) survived several tests. Still be aware that this is not official FBSD code, two days are not much time and if you don't need it then don't change your running system. Also the code allows you to do some stupid things like configuring routing loops.
On the other hand it allows you to "multi-home" a server in a propper manner. One can implement "virtual servers" on layer3. I was able to test applications with packets traversing the network although start and end address was on the same server (!)
Anyway, like it or leave it ;)
Marc
Solved (was Source-based routing w/ FreeBSD)
Jeroen Massar on Sunday, 12 October 2003 01:29:30 I understood Jeroen's answer as "if you need it, code it!" - so I coded
Now THAT is the spirit. If I where you, I would submit that code to the KAME folks who will quite probably like it or bash your head in on how it should be done. Check your credits btw :)
Posting is only allowed when you are logged in. |