Subject: Re: per-interface default routes
To: Michael C. Richardson <email@example.com>
From: Stefan Grefen <firstname.lastname@example.org>
Date: 03/13/1998 12:05:46
In message <199803111420.JAA18416@istari.sandelman.ottawa.on.ca> "Michael C. Richardson" wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Ted, awhile ago you said you might do some patches to allow a per-interface
I'm not Ted, but I've done this for a friend on a BSDI system some time ago.
It is a hack, which has some awkward side-effects. Basicly I check if
an outgoing packet has a source address of the interface that should
be routed differently, and the outgoing route is the default route.
It than checks a table to see which pseudo address to use (127.0.0.2 ...255)
and looks up in routing table the destiantion for this and uses it as default
route. This is cached in the spare bytes of the sockaddr_in (I did say it
is hack !!). This only works connections originating on that machine.
For multi-homed machine like his and yours, the exisisting routing system is
simply not working. The above hack eg. fails with ftp. To make something
like this work, without changing all the applications to be aware of it,
you would have to maintain a state per proccess/process-group/job which
'provider' it is using. This will require major changes to the network code,
on the other hand it can be a great asset for building secure systems.
> default route --- i.e. a TCP connection that came in on one interface would
> send its packets out the same interface.
> Two questions:
> 1. did you ever do this for NetBSD?
> 2. will an application be able to pick its outgoing interface
> by bind(2) its socket before it connect(2)s?
This would work. A hack on bind, containing a route would be even easier.
(eg. use a bigger address structure or reuse spare bytes).
It will still be hack ...
> I have two internet connections: one gives me useful addressing, and
> appropriate business AUP, the other just gives me personal-use bandwidth
> (Wave@Home). I want to put a web cache on my firewall that will do #2 above
> to use the cable bandwidth instead of my ISDN bandwidth for HTTP.
> :!mcr!: | Sandelman Software Works Corporation, Ottawa, ON
> Michael Richardson |Network and security consulting and contract programming
> Personal: email@example.com. PGP
>* key available.
> Corporate: firstname.lastname@example.org.
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: latin1
> Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
> -----END PGP SIGNATURE-----
Stefan Grefen Tandem Computers Europe Inc.
email@example.com High Performance Research Center
If a group of N persons implements a COBOL compiler, there will be N-1
passes. Someone in the group has to be the manager.
-- T. Cheatham