On Fri, Oct 9, 2009 at 5:58 PM, Julian Elischer <jul...@elischer.org> wrote:
> Jacques Fourie wrote:
>>
>> Hi,
>>
>> I've noticed what I believe to be a bug in ip_output(). The piece of
>> code in question is when the firewall changes the destination address
>> of an outgoing packet and the subsequent re-calculation of the route.
>> The issue should be clear from the attached diff - basically what
>> happens is that for the second route lookup dst can point to
>> ro->ro_rt->rt_gateway instead of &ro->ro_dst. It seems as if this
>> issue is present on 7,8 and 9?
>
> Is this a problem?
> generally, the aim of a fwd firewall rule is to set the next hop
> (gateway). so this may be what is required..
>
>
>>
>> --- ip_output.c 2009-10-09 10:37:40.537408240 +0200
>> +++ /home/jacques/ip_output.c 2009-10-09 10:43:46.232819440 +0200
>> @@ -521,8 +521,10 @@
>> #endif
>> error = netisr_queue(NETISR_IP, m);
>> goto done;
>> - } else
>> + } else {
>> + dst = (struct sockaddr_in *)&ro->ro_dst;
>> goto again; /* Redo the routing table lookup.
>> */
>> + }
>>
>>
>> Regards,
>> Jacques
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>
If I understand everything correctly the handling of fwd rules seem to
do exactly what I propose in the patch. See the code starting with 'if
(fwd_tag) {' in ip_output.c?
As far as I understand it fwd rules do not change the destination IP
address in the mbuf so the patch will not affect the handling of fwd
rules.
Jacques
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
