On 10/4/10 12:18 PM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer<[email protected]> wrote:
On 10/4/10 10:16 AM, Eduardo Meyer wrote:
On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch
<[email protected]> wrote:
On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<[email protected]>
wrote:
Hello,
In the past I have used this patch by Luigi Rizzo, which helped me well.
http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html
I tried with a friend to port it to -STABLE, but we were not able to
find out what has replaced mt_tag. Also on ip_input.c we dirty hacked
to following piece of code:
#ifdef IPFIREWALL_FORWARD
if (m->m_flags& M_FASTFWD_OURS) {
m->m_flags&= ~M_FASTFWD_OURS;
goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE
*/
}
if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL))
!= 0) {
/*
* Directly ship the packet on. This allows forwarding
* packets originally destined to us to some other
directly
* connected host.
*/
ip_forward(m, dchg);
return;
}
#endif /* IPFIREWALL_FORWARD */
And this is something we are not sure if its correct.
So my very obvious question is:
Does anyone has a recent version of this patch to share?
Can anyone familiar with ipfw source code help me with that?
I'm certainly not an expert, but I wonder if the patch your referring
to is still required? Can you provide more detail about your
particular application?
-Brandon
Yes, its still required since ipfw fwd ignores layer2 frames.
The application is the very same: squid. I mean, Lusca in fact (squid
fork).
Thank you for your interest.
Cisco/Ironport have a patch that does this..
I had permission to bring it back when I worked there but never got it
committed.
Adrian, was it part of the set I gave you?
Hello Elischer,
Was this made public?
I hope Chadd has some good news. In fact I tent to use with Lusca in
tproxy mode. I bet this is the only missing piece of software.
I just dug up my old changes.
do you want to fwd from a bridge? or what?
(it makes a difference what patches are needed)
If you want to fwd from a bridge to make a transparent layer 2 proxy,
this may help..
Here are parts of it that may be relevent:
these are old (2007 I think) but may be of use still.
adrian had the full set at
==quote adrian=====
The stuff is in p4 now, but I haven't tested it out at all.
//depo/projects/adrian_spoof_clientip/ I -think-.
== end quote===
Index: net/if_bridge.c
===================================================================
RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v
retrieving revision 1.107
diff -u -r1.107 if_bridge.c
--- net/if_bridge.c 6 Nov 2007 23:01:42 -0000 1.107
+++ net/if_bridge.c 28 Nov 2007 06:59:10 -0000
@@ -2908,6 +2908,11 @@
struct ip *ip;
struct llc llc1;
u_int16_t ether_type;
+ int is_ip = 0;
+#ifdef IPFIREWALL_FORWARD
+ struct m_tag *fwd_tag;
+#endif
+
snap = 0;
error = -1; /* Default error if not error == 0 */
@@ -2967,6 +2972,7 @@
#ifdef INET6
case ETHERTYPE_IPV6:
#endif /* INET6 */
+ is_ip = 1;
break;
default:
/*
@@ -3024,6 +3030,30 @@
if (*mp == NULL)
return (error);
+
+#ifdef IPFIREWALL_FORWARD
+ /*
+ * Did the firewall want to forward it somewhere?
+ * If so, let the ip stack handle it.
+ */
+ if (i == 0&& args.next_hop != NULL&&
+ is_ip /*&& src != NULL */) {
+
+ fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
+ sizeof(struct sockaddr_in), M_NOWAIT);
+ if (fwd_tag == NULL)
+ goto drop;
+ bcopy(args.next_hop, (fwd_tag+1),
+ sizeof(struct sockaddr_in));
+ m_tag_prepend(*mp, fwd_tag);
+
+ if (in_localip(args.next_hop->sin_addr))
+ (*mp)->m_flags |= M_FASTFWD_OURS;
+ ether_demux(src, *mp);
+ return (NULL);
+ }
+#endif
+
if (DUMMYNET_LOADED&& (i == IP_FW_DUMMYNET)) {
==================
Index: netinet/ip_fw2.c
===================================================================
RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.178
diff -u -r1.178 ip_fw2.c
--- netinet/ip_fw2.c 28 Oct 2007 17:12:47 -0000 1.178
+++ netinet/ip_fw2.c 28 Nov 2007 06:59:10 -0000
@@ -3446,8 +3507,10 @@
case O_FORWARD_IP: {
struct sockaddr_in *sa;
sa =&(((ipfw_insn_sa *)cmd)->sa);
+#if 0
if (args->eh) /* not valid on layer2
pkts */
break;
+#endif
if (!q || dyn_dir == MATCH_FORWARD) {
if (sa->sin_addr.s_addr == INADDR_ANY) {
bcopy(sa,&args->hopstore,
=============================================
Index: netinet/ip_output.c
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
