Re: kern/157867: [patch][ipfw] natd globalport support for ipfw nat
Synopsis: [patch][ipfw] natd globalport support for ipfw nat State-Changed-From-To: patched->closed State-Changed-By: ae State-Changed-When: Thu Jul 28 10:17:04 UTC 2011 State-Changed-Why: Merged to stable/8. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=157867 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/157957: [libalias][patch] alias_ftp does not alias data sessions corretly
Synopsis: [libalias][patch] alias_ftp does not alias data sessions corretly State-Changed-From-To: patched->closed State-Changed-By: ae State-Changed-When: Thu Jul 28 10:17:35 UTC 2011 State-Changed-Why: Merged to stable/8. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=157957 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/157867: commit references a PR
The following reply was made to PR kern/157867; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/157867: commit references a PR
Date: Thu, 28 Jul 2011 10:10:49 + (UTC)
Author: ae
Date: Thu Jul 28 10:10:39 2011
New Revision: 224473
URL: http://svn.freebsd.org/changeset/base/224473
Log:
MFC r223080:
Implement "global" mode for ipfw nat. It is similar to natd(8)
"globalport" option for multiple NAT instances.
If ipfw rule contains "global" keyword instead of nat_number, then
for each outgoing packet ipfw_nat looks up translation state in all
configured nat instances. If an entry is found, packet aliased
according to that entry, otherwise packet is passed unchanged.
User can specify "skip_global" option in NAT configuration to exclude
an instance from the lookup in global mode.
PR:kern/157867
Submitted by: Alexander V. Chernikov (previous version)
Modified:
stable/8/sbin/ipfw/ipfw.8
stable/8/sbin/ipfw/ipfw2.c
stable/8/sbin/ipfw/ipfw2.h
stable/8/sbin/ipfw/nat.c
stable/8/sys/netinet/ipfw/ip_fw2.c
stable/8/sys/netinet/ipfw/ip_fw_nat.c
stable/8/sys/netinet/libalias/alias.h
Directory Properties:
stable/8/sbin/ipfw/ (props changed)
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
stable/8/sys/geom/label/ (props changed)
Modified: stable/8/sbin/ipfw/ipfw.8
==
--- stable/8/sbin/ipfw/ipfw.8 Thu Jul 28 09:27:01 2011(r224472)
+++ stable/8/sbin/ipfw/ipfw.8 Thu Jul 28 10:10:39 2011(r224473)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd May 30, 2011
+.Dd June 14, 2011
.Dt IPFW 8
.Os
.Sh NAME
@@ -2422,6 +2422,27 @@ Reset table of the packet aliasing engin
Reverse the way libalias handles aliasing.
.It Cm proxy_only
Obey transparent proxy rules only, packet aliasing is not performed.
+.It Cm skip_global
+Skip instance in case of global state lookup (see below).
+.El
+.Pp
+Some specials value can be supplied instead of
+.Va nat_number:
+.Bl -tag -width indent
+.It Cm global
+Looks up translation state in all configured nat instances.
+If an entry is found, packet is aliased according to that entry.
+If no entry was found in any of the instances, packet is passed unchanged,
+and no new entry will be created.
+See section
+.Sx MULTIPLE INSTANCES
+in
+.Xr natd 8
+for more information.
+.It Cm tablearg
+Uses argument supplied in lookup table. See
+.Sx LOOKUP TABLES
+section below for more information on lookup tables.
.El
.Pp
To let the packet continue after being (de)aliased, set the sysctl variable
Modified: stable/8/sbin/ipfw/ipfw2.c
==
--- stable/8/sbin/ipfw/ipfw2.c Thu Jul 28 09:27:01 2011(r224472)
+++ stable/8/sbin/ipfw/ipfw2.c Thu Jul 28 10:10:39 2011(r224473)
@@ -1112,8 +1112,11 @@ show_ipfw(struct ip_fw *rule, int pcwidt
break;
case O_NAT:
- PRINT_UINT_ARG("nat ", cmd->arg1);
- break;
+ if (cmd->arg1 != 0)
+ PRINT_UINT_ARG("nat ", cmd->arg1);
+ else
+ printf("nat global");
+ break;
case O_SETFIB:
PRINT_UINT_ARG("setfib ", cmd->arg1);
@@ -2728,9 +2731,14 @@ ipfw_add(char *av[])
break;
case TOK_NAT:
- action->opcode = O_NAT;
- action->len = F_INSN_SIZE(ipfw_insn_nat);
- goto chkarg;
+ action->opcode = O_NAT;
+ action->len = F_INSN_SIZE(ipfw_insn_nat);
+ if (_substrcmp(*av, "global") == 0) {
+ action->arg1 = 0;
+ av++;
+ break;
+ } else
+ goto chkarg;
case TOK_QUEUE:
action->opcode = O_QUEUE;
Modified: stable/8/sbin/ipfw/ipfw2.h
==
--- stable/8/sbin/ipfw/ipfw2.h Thu Jul 28 09:27:01 2011(r224472)
+++ stable/8/sbin/ipfw/ipfw2.h Thu Jul 28 10:10:39 2011(r224473)
@@ -178,6 +178,7 @@ enum tokens {
TOK_DENY_INC,
TOK_SAME_PORTS,
TOK_UNREG_ONLY,
+ TOK_SKIP_GLOBAL,
TOK_RESET_ADDR,
TOK_ALIAS_REV,
TOK_PROXY_ONLY,
Modified: stable/8/sbin/ipfw/nat.c
==
--- stable/8/sbin/ipfw/nat.
Re: kern/157957: commit references a PR
The following reply was made to PR kern/157957; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/157957: commit references a PR
Date: Thu, 28 Jul 2011 10:16:40 + (UTC)
Author: ae
Date: Thu Jul 28 10:16:30 2011
New Revision: 224474
URL: http://svn.freebsd.org/changeset/base/224474
Log:
MFC r223437:
Export AddLink() function from libalias. It can be used when custom
alias address needs to be specified.
Add inbound handler to the alias_ftp module. It helps handle active
FTP transfer mode for the case with external clients and FTP server behind
NAT. Fix passive FTP transfer case for server behind NAT using redirect
with
external IP address different from NAT ip address.
PR:kern/157957
Submitted by: Alexander V. Chernikov
Modified:
stable/8/sys/netinet/libalias/alias_db.c
stable/8/sys/netinet/libalias/alias_ftp.c
stable/8/sys/netinet/libalias/alias_local.h
stable/8/sys/netinet/libalias/libalias.3
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
stable/8/sys/geom/label/ (props changed)
Modified: stable/8/sys/netinet/libalias/alias_db.c
==
--- stable/8/sys/netinet/libalias/alias_db.c Thu Jul 28 10:10:39 2011
(r224473)
+++ stable/8/sys/netinet/libalias/alias_db.c Thu Jul 28 10:16:30 2011
(r224474)
@@ -552,10 +552,6 @@ static void IncrementalCleanup(struct li
static void DeleteLink(struct alias_link *);
static struct alias_link *
-AddLink(struct libalias *, struct in_addr, struct in_addr, struct in_addr,
-u_short, u_short, int, int);
-
-static struct alias_link *
ReLink(struct alias_link *,
struct in_addr, struct in_addr, struct in_addr,
u_short, u_short, int, int);
@@ -572,9 +568,6 @@ static struct alias_link *
#define ALIAS_PORT_MASK_EVEN 0x07ffe
#define GET_NEW_PORT_MAX_ATTEMPTS 20
-#define GET_ALIAS_PORT -1
-#define GET_ALIAS_IDGET_ALIAS_PORT
-
#define FIND_EVEN_ALIAS_BASE 1
/* GetNewPort() allocates port numbers. Note that if a port number
@@ -937,17 +930,12 @@ DeleteLink(struct alias_link *lnk)
}
-static struct alias_link *
-AddLink(struct libalias *la, struct in_addr src_addr,
-struct in_addr dst_addr,
-struct in_addr alias_addr,
-u_short src_port,
-u_short dst_port,
-int alias_port_param, /* if less than zero, alias */
-int link_type)
-{ /* port will be automatically *//* chosen.
- * If greater than*/
- u_int start_point; /* zero, equal to alias port */
+struct alias_link *
+AddLink(struct libalias *la, struct in_addr src_addr, struct in_addr dst_addr,
+struct in_addr alias_addr, u_short src_port, u_short dst_port,
+int alias_port_param, int link_type)
+{
+ u_int start_point;
struct alias_link *lnk;
LIBALIAS_LOCK_ASSERT(la);
Modified: stable/8/sys/netinet/libalias/alias_ftp.c
==
--- stable/8/sys/netinet/libalias/alias_ftp.c Thu Jul 28 10:10:39 2011
(r224473)
+++ stable/8/sys/netinet/libalias/alias_ftp.c Thu Jul 28 10:16:30 2011
(r224474)
@@ -100,38 +100,68 @@ __FBSDID("$FreeBSD$");
#define FTP_CONTROL_PORT_NUMBER 21
static void
-AliasHandleFtpOut(struct libalias *, struct ip *, struct alias_link *,
-int maxpacketsize);
+AliasHandleFtpOut(struct libalias *, struct ip *, struct alias_link *,
+int maxpacketsize);
+static void
+AliasHandleFtpIn(struct libalias *, struct ip *, struct alias_link *);
-static int
-fingerprint(struct libalias *la, struct alias_data *ah)
+static int
+fingerprint_out(struct libalias *la, struct alias_data *ah)
{
- if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL ||
- ah->maxpktsize == 0)
+ if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL ||
+ ah->maxpktsize == 0)
return (-1);
- if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER
- || ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER)
+ if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER ||
+ ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER)
return (0);
return (-1);
}
-static int
-protohandler(struct libalias *la, struct ip *pip, struct alias_data *ah)
+static int
+fingerprint_in(struct libalias *la, struct alias_data *ah)
+{
+
+ if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL)
fwd in ipfw module
Now if I you want to use forwarding in ipfw I need to build custom kernel. I found similar thread http://lists.freebsd.org/pipermail/freebsd-ipfw/2010-March/004148.html Have you changed anything since then? ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: fwd in ipfw module
Hello Pavel On 28.07.2011 13:24, Pavel Timofeev wrote: Now if I you want to use forwarding in ipfw I need to build custom kernel. Yes, this is correct. I found similar thread http://lists.freebsd.org/pipermail/freebsd-ipfw/2010-March/004148.html Have you changed anything since then? I do not think, that this has changes, see this posting [1] (and following postings) in the same thread: "A loadable module requires a coherent piece of code to implement the functionality, that can be put into the module. This option scatters tiny snippets of code throughout the exisitng TCP/UDP/IP/ipfw code." [1] http://lists.freebsd.org/pipermail/freebsd-ipfw/2010-March/004151.html bye Fabian ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
