From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 11:06:59 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 063311065695 for ; Mon, 4 Oct 2010 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DDD8D8FC1B for ; Mon, 4 Oct 2010 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o94B6wvC065857 for ; Mon, 4 Oct 2010 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o94B6wJx065855 for freebsd-ipfw@FreeBSD.org; Mon, 4 Oct 2010 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Oct 2010 11:06:58 GMT Message-Id: <201010041106.o94B6wJx065855@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/150798 ipfw [ipfw] ipfw2 fwd rule matches packets but does not do o kern/150141 ipfw [ipfw]: Not working kernel nat freeBSD 8.1 o kern/149572 ipfw [ipfw] ipfw kernel nat not working properly o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 81 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 15:12:00 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 641631065693 for ; Mon, 4 Oct 2010 15:12:00 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id EF9228FC12 for ; Mon, 4 Oct 2010 15:11:59 +0000 (UTC) Received: by fxm9 with SMTP id 9so4269466fxm.13 for ; Mon, 04 Oct 2010 08:11:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=K7HZb28G4yfAJhLfdqgHh8lwN9WLu2Fl8NH3JRMzDjk=; b=YH+ydeM/Wum6NwEAJFEZCcezLkeDfbUJkEbRtjxOf35kYOAEZSSpOZ+8zrZH/Botc9 pXGcVUyQfEZ32UKbsUK8tqvYH16xVZAJBwULPLW3vhP05pjLfURgsPVIgp1WlfHfJm29 1UQu/+l4bMa+RuAKG8L/n6y3l/JqurTWYABFs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=N0AYZcqxudTrHotMBbzkAWhgeiMedlJ8cbzPmmQ7E7zLDhzhJnmCw8bS7O8fMhcJT4 w1f1ymcS0tbCVItHmA1F+84kCJf1iv07K28pr3Jvx0CxFJ15n9sffzWnp1g3SqPsr6lf xw+QNRSgd1I9QS3t3y2dzhAnkaorsRaimwqeA= MIME-Version: 1.0 Received: by 10.223.110.142 with SMTP id n14mr5472292fap.38.1286203450883; Mon, 04 Oct 2010 07:44:10 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Mon, 4 Oct 2010 07:44:10 -0700 (PDT) Date: Mon, 4 Oct 2010 11:44:10 -0300 Message-ID: From: Eduardo Meyer To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 15:12:00 -0000 Hello, In the past I have used this patch by Luigi Rizzo, which helped me well. http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html I tried with a friend to port it to -STABLE, but we were not able to find out what has replaced mt_tag. Also on ip_input.c we dirty hacked to following piece of code: #ifdef IPFIREWALL_FORWARD if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE */ } if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly * connected host. */ ip_forward(m, dchg); return; } #endif /* IPFIREWALL_FORWARD */ And this is something we are not sure if its correct. So my very obvious question is: Does anyone has a recent version of this patch to share? Can anyone familiar with ipfw source code help me with that? -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 17:02:49 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 118F3106564A for ; Mon, 4 Oct 2010 17:02:49 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 266738FC0C for ; Mon, 4 Oct 2010 17:02:47 +0000 (UTC) Received: by wyb29 with SMTP id 29so4462149wyb.13 for ; Mon, 04 Oct 2010 10:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BHjQbh6gjUdOFVE+vd+Eb2xtXhQwMfxPxbSxdZSpDmc=; b=gcpu1cN4c1v4b/1w898ix42Dwaf19EQkqJdz83jnXsp0vpgiDsqxT567E/YAFiUL5+ A5CiAPGHG4zn5IRIvH1ApSS58ofLF27A/7FedibkTkZMTE38H8CjuaB5blnCV7dq9flt +JEObwgjtLGiBX1a1sNlngt2N+hmgOWt/pMxw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=TlqklZSgKzTPR5Fh8Xz2g1lcTnYrXcRIbKWTOxwigMFuhFwM9tP3RlKvoI+meTBldj WVgs3mcBWh0m6MJdZvOEQyzXoG3xZWoMncjNLX2HUMXeP46HOjNdFGJ3gCxuCypEtKJw spkCHS4gAb76FoNX00fqa8+FNO/FSs/Yxo3A4= MIME-Version: 1.0 Received: by 10.216.23.129 with SMTP id v1mr5538217wev.49.1286211766876; Mon, 04 Oct 2010 10:02:46 -0700 (PDT) Received: by 10.216.133.133 with HTTP; Mon, 4 Oct 2010 10:02:12 -0700 (PDT) In-Reply-To: References: Date: Mon, 4 Oct 2010 12:02:12 -0500 Message-ID: From: Brandon Gooch To: Eduardo Meyer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 17:02:49 -0000 On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer wrote: > Hello, > > In the past I have used this patch by Luigi Rizzo, which helped me well. > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.htm= l > > I tried with a friend to port it to -STABLE, but we were not able to > find out what has replaced mt_tag. Also on ip_input.c we dirty hacked > to following piece of code: > > #ifdef IPFIREWALL_FORWARD > =A0 =A0 =A0 =A0if (m->m_flags & M_FASTFWD_OURS) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags &=3D ~M_FASTFWD_OURS; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD WE M= ODIFY IT HERE */ > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != =3D NULL)) !=3D 0) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0This al= lows forwarding > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us to so= me other directly > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; > =A0 =A0 =A0 =A0} > #endif /* IPFIREWALL_FORWARD */ > > And this is something we are not sure if its correct. > > So my very obvious question is: > > Does anyone has a recent version of this patch to share? > > Can anyone familiar with ipfw source code help me with that? > I'm certainly not an expert, but I wonder if the patch your referring to is still required? Can you provide more detail about your particular application? -Brandon From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 17:04:11 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D767C1065673 for ; Mon, 4 Oct 2010 17:04:11 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6E3CE8FC17 for ; Mon, 4 Oct 2010 17:04:11 +0000 (UTC) Received: by wyb29 with SMTP id 29so4464021wyb.13 for ; Mon, 04 Oct 2010 10:04:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BHjQbh6gjUdOFVE+vd+Eb2xtXhQwMfxPxbSxdZSpDmc=; b=ubnQdWRtQIF4K1K1Wyh0TSbURoPrNxYuGGzatqE16QlKLDwCoSnV8Ju3064pz5qgmh pL1XATtViieC5ZD0MJRRJeuD7OhxIXXmN5tTVCnTgVqJNcQU2Kkyb2j7NPh+rwUIjmfL r/p5Tjt5PX99PJZ2NZoLRIqx2rYn06qbOhfWs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=TlqklZSgKzTPR5Fh8Xz2g1lcTnYrXcRIbKWTOxwigMFuhFwM9tP3RlKvoI+meTBldj WVgs3mcBWh0m6MJdZvOEQyzXoG3xZWoMncjNLX2HUMXeP46HOjNdFGJ3gCxuCypEtKJw spkCHS4gAb76FoNX00fqa8+FNO/FSs/Yxo3A4= MIME-Version: 1.0 Received: by 10.216.177.77 with SMTP id c55mr972125wem.35.1286211733017; Mon, 04 Oct 2010 10:02:13 -0700 (PDT) Received: by 10.216.133.133 with HTTP; Mon, 4 Oct 2010 10:02:12 -0700 (PDT) In-Reply-To: References: Date: Mon, 4 Oct 2010 12:02:12 -0500 Message-ID: From: Brandon Gooch To: Eduardo Meyer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 17:04:11 -0000 On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer wrote: > Hello, > > In the past I have used this patch by Luigi Rizzo, which helped me well. > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.htm= l > > I tried with a friend to port it to -STABLE, but we were not able to > find out what has replaced mt_tag. Also on ip_input.c we dirty hacked > to following piece of code: > > #ifdef IPFIREWALL_FORWARD > =A0 =A0 =A0 =A0if (m->m_flags & M_FASTFWD_OURS) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags &=3D ~M_FASTFWD_OURS; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD WE M= ODIFY IT HERE */ > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != =3D NULL)) !=3D 0) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0This al= lows forwarding > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us to so= me other directly > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; > =A0 =A0 =A0 =A0} > #endif /* IPFIREWALL_FORWARD */ > > And this is something we are not sure if its correct. > > So my very obvious question is: > > Does anyone has a recent version of this patch to share? > > Can anyone familiar with ipfw source code help me with that? > I'm certainly not an expert, but I wonder if the patch your referring to is still required? Can you provide more detail about your particular application? -Brandon From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 17:16:59 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 629691065674 for ; Mon, 4 Oct 2010 17:16:59 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id E92738FC12 for ; Mon, 4 Oct 2010 17:16:58 +0000 (UTC) Received: by fxm9 with SMTP id 9so4434473fxm.13 for ; Mon, 04 Oct 2010 10:16:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=o4tjvawDpSDIHD/dIZBHIxP2QuYkNPP2buVobdWpJ/Q=; b=fxBj4w8BjrIf4/lr8JCIWslgxeIqOpiKKXnQy1OcSqrHDqilP0Cnwi8gPKjlPYvfKD Jh6mR+InChfLAcJspctx5zR6fTUzm989B+mxyqnaGZTMPdmQQLqnfzJt0O41wZ+VhIVq 5MQ/GaNKWkiZlfCKfoiwuswjPGD1aJ/mfI4vg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=qmHd1MJnLh8ja4UKI++Mda6/e9PhCiW6OqdPcvIvXdkuQ0yr54rGvD7xIxBq7jk4/f DSnkM5IZQzrX89QxJTmSt1WoyvBVQkSHftgouw7J7F444HV6hJLrsHa9d3yNuoKkpMjz zkQEjdQvtg2BxOpIUQJS12IB+54Fg5x/m/rGk= MIME-Version: 1.0 Received: by 10.223.110.73 with SMTP id m9mr9381150fap.60.1286212617580; Mon, 04 Oct 2010 10:16:57 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Mon, 4 Oct 2010 10:16:57 -0700 (PDT) In-Reply-To: References: Date: Mon, 4 Oct 2010 14:16:57 -0300 Message-ID: From: Eduardo Meyer To: Brandon Gooch Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 17:16:59 -0000 On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch wrote: > On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer wrot= e: >> Hello, >> >> In the past I have used this patch by Luigi Rizzo, which helped me well. >> >> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.ht= ml >> >> I tried with a friend to port it to -STABLE, but we were not able to >> find out what has replaced mt_tag. Also on ip_input.c we dirty hacked >> to following piece of code: >> >> #ifdef IPFIREWALL_FORWARD >> =A0 =A0 =A0 =A0if (m->m_flags & M_FASTFWD_OURS) { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags &=3D ~M_FASTFWD_OURS; >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD WE = MODIFY IT HERE */ >> =A0 =A0 =A0 =A0} >> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) = !=3D NULL)) !=3D 0) { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0This a= llows forwarding >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us to s= ome other directly >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >> =A0 =A0 =A0 =A0} >> #endif /* IPFIREWALL_FORWARD */ >> >> And this is something we are not sure if its correct. >> >> So my very obvious question is: >> >> Does anyone has a recent version of this patch to share? >> >> Can anyone familiar with ipfw source code help me with that? >> > > I'm certainly not an expert, but I wonder if the patch your referring > to is still required? Can you provide more detail about your > particular application? > > -Brandon Yes, its still required since ipfw fwd ignores layer2 frames. The application is the very same: squid. I mean, Lusca in fact (squid fork)= . Thank you for your interest. --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 18:45:47 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5425D1065743 for ; Mon, 4 Oct 2010 18:45:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from out-0.mx.aerioconnect.net (outq.internet-mail-service.net [216.240.47.240]) by mx1.freebsd.org (Postfix) with ESMTP id 32B958FC08 for ; Mon, 4 Oct 2010 18:45:46 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o94IYrgp004005; Mon, 4 Oct 2010 11:34:53 -0700 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 3E4492D6017; Mon, 4 Oct 2010 11:34:51 -0700 (PDT) Message-ID: <4CAA1E7B.1020107@freebsd.org> Date: Mon, 04 Oct 2010 11:35:39 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4 MIME-Version: 1.0 To: Eduardo Meyer References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: Brandon Gooch , ipfw@freebsd.org, Adrian Chadd Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 18:45:47 -0000 On 10/4/10 10:16 AM, Eduardo Meyer wrote: > On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch > wrote: >> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer wrote: >>> Hello, >>> >>> In the past I have used this patch by Luigi Rizzo, which helped me well. >>> >>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>> >>> I tried with a friend to port it to -STABLE, but we were not able to >>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacked >>> to following piece of code: >>> >>> #ifdef IPFIREWALL_FORWARD >>> if (m->m_flags& M_FASTFWD_OURS) { >>> m->m_flags&= ~M_FASTFWD_OURS; >>> goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE */ >>> } >>> if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { >>> /* >>> * Directly ship the packet on. This allows forwarding >>> * packets originally destined to us to some other directly >>> * connected host. >>> */ >>> ip_forward(m, dchg); >>> return; >>> } >>> #endif /* IPFIREWALL_FORWARD */ >>> >>> And this is something we are not sure if its correct. >>> >>> So my very obvious question is: >>> >>> Does anyone has a recent version of this patch to share? >>> >>> Can anyone familiar with ipfw source code help me with that? >>> >> I'm certainly not an expert, but I wonder if the patch your referring >> to is still required? Can you provide more detail about your >> particular application? >> >> -Brandon > Yes, its still required since ipfw fwd ignores layer2 frames. > > The application is the very same: squid. I mean, Lusca in fact (squid fork). > > Thank you for your interest. Cisco/Ironport have a patch that does this.. I had permission to bring it back when I worked there but never got it committed. Adrian, was it part of the set I gave you? From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 19:18:21 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D111B106564A for ; Mon, 4 Oct 2010 19:18:21 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5F8598FC0C for ; Mon, 4 Oct 2010 19:18:20 +0000 (UTC) Received: by eyx24 with SMTP id 24so2579809eyx.13 for ; Mon, 04 Oct 2010 12:18:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8AdkQplO39HCOeVB4gV06REiXgYUaB0YCU9bWYAmcFo=; b=Jf35jKEKhzISOh7BMK5psfhn4a+5d0ou7emM7pQ3ohlI7AAgT+hJQuK/PLbi/CrnVb lbYtj/bzBTPaIspq1g8LnvTcTmcnGjxybRASpusF0848CObDLCN4dTV0WKepx1DuvpAF 9gSqOF4Q7NyflBpiIlvIzYyN0QQRuW5T/+ErA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=W4+0hCdPjR8KBUWIhtM/uDEqO2vA3DPeUqNvl1GqjpDzq/A4vosI5GKpN3M6k2moHu yWRn0wQvAiyypOQQdVM9q9zzEltKKZRWvhvw7VmoRssfkQAElz3/zS2bbmMJ70VNLNgn yRmMX1nHHC5owuzUX+iA+1grtt9nEQb29fRvI= MIME-Version: 1.0 Received: by 10.223.126.15 with SMTP id a15mr9530750fas.67.1286219897581; Mon, 04 Oct 2010 12:18:17 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Mon, 4 Oct 2010 12:18:17 -0700 (PDT) In-Reply-To: <4CAA1E7B.1020107@freebsd.org> References: <4CAA1E7B.1020107@freebsd.org> Date: Mon, 4 Oct 2010 16:18:17 -0300 Message-ID: From: Eduardo Meyer To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Brandon Gooch , ipfw@freebsd.org, Adrian Chadd Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 19:18:22 -0000 On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer wrote: > =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >> >> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >> =A0wrote: >>> >>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer >>> =A0wrote: >>>> >>>> Hello, >>>> >>>> In the past I have used this patch by Luigi Rizzo, which helped me wel= l. >>>> >>>> >>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.= html >>>> >>>> I tried with a friend to port it to -STABLE, but we were not able to >>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacked >>>> to following piece of code: >>>> >>>> #ifdef IPFIREWALL_FORWARD >>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0M_FASTFWD_OURS) { >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD W= E MODIFY IT HERE >>>> */ >>>> =A0 =A0 =A0 =A0} >>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL= ) !=3D NULL)) >>>> !=3D 0) { >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0This= allows forwarding >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us to= some other >>>> directly >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>> =A0 =A0 =A0 =A0} >>>> #endif /* IPFIREWALL_FORWARD */ >>>> >>>> And this is something we are not sure if its correct. >>>> >>>> So my very obvious question is: >>>> >>>> Does anyone has a recent version of this patch to share? >>>> >>>> Can anyone familiar with ipfw source code help me with that? >>>> >>> I'm certainly not an expert, but I wonder if the patch your referring >>> to is still required? Can you provide more detail about your >>> particular application? >>> >>> -Brandon >> >> Yes, its still required since ipfw fwd ignores layer2 frames. >> >> The application is the very same: squid. I mean, Lusca in fact (squid >> fork). >> >> Thank you for your interest. > > Cisco/Ironport have a patch that does this.. > I had permission to bring it back when I worked there but never got it > committed. > > Adrian, was it part of the set I gave you? Hello Elischer, Was this made public? I hope Chadd has some good news. In fact I tent to use with Lusca in tproxy mode. I bet this is the only missing piece of software. --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 21:22:39 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63182106564A for ; Mon, 4 Oct 2010 21:22:39 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from out-0.mx.aerioconnect.net (outt.internet-mail-service.net [216.240.47.243]) by mx1.freebsd.org (Postfix) with ESMTP id 402348FC08 for ; Mon, 4 Oct 2010 21:22:38 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o94LMbS9008490; Mon, 4 Oct 2010 14:22:37 -0700 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 764232D601A; Mon, 4 Oct 2010 14:22:36 -0700 (PDT) Message-ID: <4CAA45CC.8020304@freebsd.org> Date: Mon, 04 Oct 2010 14:23:24 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4 MIME-Version: 1.0 To: Eduardo Meyer References: <4CAA1E7B.1020107@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: Brandon Gooch , ipfw@freebsd.org, Adrian Chadd Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 21:22:39 -0000 On 10/4/10 12:18 PM, Eduardo Meyer wrote: > On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer wrote: >> On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>> wrote: >>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer >>>> wrote: >>>>> Hello, >>>>> >>>>> In the past I have used this patch by Luigi Rizzo, which helped me well. >>>>> >>>>> >>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>>>> >>>>> I tried with a friend to port it to -STABLE, but we were not able to >>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacked >>>>> to following piece of code: >>>>> >>>>> #ifdef IPFIREWALL_FORWARD >>>>> if (m->m_flags& M_FASTFWD_OURS) { >>>>> m->m_flags&= ~M_FASTFWD_OURS; >>>>> goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE >>>>> */ >>>>> } >>>>> if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) >>>>> != 0) { >>>>> /* >>>>> * Directly ship the packet on. This allows forwarding >>>>> * packets originally destined to us to some other >>>>> directly >>>>> * connected host. >>>>> */ >>>>> ip_forward(m, dchg); >>>>> return; >>>>> } >>>>> #endif /* IPFIREWALL_FORWARD */ >>>>> >>>>> And this is something we are not sure if its correct. >>>>> >>>>> So my very obvious question is: >>>>> >>>>> Does anyone has a recent version of this patch to share? >>>>> >>>>> Can anyone familiar with ipfw source code help me with that? >>>>> >>>> I'm certainly not an expert, but I wonder if the patch your referring >>>> to is still required? Can you provide more detail about your >>>> particular application? >>>> >>>> -Brandon >>> Yes, its still required since ipfw fwd ignores layer2 frames. >>> >>> The application is the very same: squid. I mean, Lusca in fact (squid >>> fork). >>> >>> Thank you for your interest. >> Cisco/Ironport have a patch that does this.. >> I had permission to bring it back when I worked there but never got it >> committed. >> >> Adrian, was it part of the set I gave you? > Hello Elischer, > > Was this made public? > > I hope Chadd has some good news. In fact I tent to use with Lusca in > tproxy mode. I bet this is the only missing piece of software. > I just dug up my old changes. do you want to fwd from a bridge? or what? (it makes a difference what patches are needed) If you want to fwd from a bridge to make a transparent layer 2 proxy, this may help.. Here are parts of it that may be relevent: these are old (2007 I think) but may be of use still. adrian had the full set at ==quote adrian===== The stuff is in p4 now, but I haven't tested it out at all. //depo/projects/adrian_spoof_clientip/ I -think-. == end quote=== Index: net/if_bridge.c =================================================================== RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.107 diff -u -r1.107 if_bridge.c --- net/if_bridge.c 6 Nov 2007 23:01:42 -0000 1.107 +++ net/if_bridge.c 28 Nov 2007 06:59:10 -0000 @@ -2908,6 +2908,11 @@ struct ip *ip; struct llc llc1; u_int16_t ether_type; + int is_ip = 0; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif + snap = 0; error = -1; /* Default error if not error == 0 */ @@ -2967,6 +2972,7 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip = 1; break; default: /* @@ -3024,6 +3030,30 @@ if (*mp == NULL) return (error); + +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + if (i == 0&& args.next_hop != NULL&& + is_ip /*&& src != NULL */) { + + fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT); + if (fwd_tag == NULL) + goto drop; + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop->sin_addr)) + (*mp)->m_flags |= M_FASTFWD_OURS; + ether_demux(src, *mp); + return (NULL); + } +#endif + if (DUMMYNET_LOADED&& (i == IP_FW_DUMMYNET)) { ================== Index: netinet/ip_fw2.c =================================================================== RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v retrieving revision 1.178 diff -u -r1.178 ip_fw2.c --- netinet/ip_fw2.c 28 Oct 2007 17:12:47 -0000 1.178 +++ netinet/ip_fw2.c 28 Nov 2007 06:59:10 -0000 @@ -3446,8 +3507,10 @@ case O_FORWARD_IP: { struct sockaddr_in *sa; sa =&(((ipfw_insn_sa *)cmd)->sa); +#if 0 if (args->eh) /* not valid on layer2 pkts */ break; +#endif if (!q || dyn_dir == MATCH_FORWARD) { if (sa->sin_addr.s_addr == INADDR_ANY) { bcopy(sa,&args->hopstore, ============================================= Index: netinet/ip_output.c From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 4 22:56:28 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87483106564A; Mon, 4 Oct 2010 22:56:28 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id C912E8FC13; Mon, 4 Oct 2010 22:56:27 +0000 (UTC) Received: by bwz15 with SMTP id 15so5503649bwz.13 for ; Mon, 04 Oct 2010 15:56:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GE6xY9iWIjfQDmxg7wky06BaYzPBkiaaNspFri6n9dk=; b=HeZgYrJ7wJ0YQCZAKWsk5zpPHwKFM9SAA5OB8oLn9CGEWLugqsCgsew4s+YCUdF2PO fUu+zjA7UCT27tYCpgPpXHSWh/XyBruOlE1YpiZLGnbmhF/bBTdvXrJyAcHNFi4Rw76d oVbBLEso1oy1JhlOxwUqPmPCyP9HQhRPuBA84= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=EnaO5vRf9W7p+d3GfNeOVy0lwkMGCdNT6nwAQXtiTFYgNdZp4gmP4trbaxW7/kIspH LElEQXwwFfrrs2P/ooJWE6fO+blDRQS6zE9lqecLu2bxtsLEDr40rwEpe9PrQXDfc5Bn 3T7Px36meJGDhdh0iCikxLf1WG0zJwM08j5Dk= MIME-Version: 1.0 Received: by 10.223.126.11 with SMTP id a11mr9863190fas.25.1286232985400; Mon, 04 Oct 2010 15:56:25 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Mon, 4 Oct 2010 15:56:25 -0700 (PDT) In-Reply-To: <4CAA45CC.8020304@freebsd.org> References: <4CAA1E7B.1020107@freebsd.org> <4CAA45CC.8020304@freebsd.org> Date: Mon, 4 Oct 2010 19:56:25 -0300 Message-ID: From: Eduardo Meyer To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Brandon Gooch , ipfw@freebsd.org, Adrian Chadd Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2010 22:56:28 -0000 On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer wrote: > =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >> >> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer >> =A0wrote: >>> >>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>> >>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>> =A0 =A0wrote: >>>>> >>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer >>>>> =A0wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> In the past I have used this patch by Luigi Rizzo, which helped me >>>>>> well. >>>>>> >>>>>> >>>>>> >>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/00052= 6.html >>>>>> >>>>>> I tried with a friend to port it to -STABLE, but we were not able to >>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacke= d >>>>>> to following piece of code: >>>>>> >>>>>> #ifdef IPFIREWALL_FORWARD >>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0M_FASTFWD_OURS) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD= WE MODIFY IT HERE >>>>>> */ >>>>>> =A0 =A0 =A0 =A0} >>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NU= LL) !=3D >>>>>> NULL)) >>>>>> !=3D 0) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0Th= is allows forwarding >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us = to some other >>>>>> directly >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>> =A0 =A0 =A0 =A0} >>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>> >>>>>> And this is something we are not sure if its correct. >>>>>> >>>>>> So my very obvious question is: >>>>>> >>>>>> Does anyone has a recent version of this patch to share? >>>>>> >>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>> >>>>> I'm certainly not an expert, but I wonder if the patch your referring >>>>> to is still required? Can you provide more detail about your >>>>> particular application? >>>>> >>>>> -Brandon >>>> >>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>> >>>> The application is the very same: squid. I mean, Lusca in fact (squid >>>> fork). >>>> >>>> Thank you for your interest. >>> >>> Cisco/Ironport have a patch that does this.. >>> I had permission to bring it back when I worked there but never got it >>> committed. >>> >>> Adrian, was it part of the set I gave you? >> >> Hello Elischer, >> >> Was this made public? >> >> I hope Chadd has some good news. In fact I tent to use with Lusca in >> tproxy mode. I bet this is the only missing piece of software. >> > > I just dug up my old changes. > do you want to fwd from a bridge? or what? > (it makes a difference what patches are needed) Yes, that's exactly what I want. > > If you want to fwd from a bridge to make a transparent layer 2 proxy, thi= s > may help.. > > > Here are parts of it that may be relevent: > these are old (2007 I think) but may be of use still. Thank you, I will try it right now. > > adrian had the full set at > > =3D=3Dquote adrian=3D=3D=3D=3D=3D > =A0The stuff is in p4 now, but I haven't tested it out at all. > > =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. > =3D=3D end quote=3D=3D=3D > > > > > Index: net/if_bridge.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v > retrieving revision 1.107 > diff -u -r1.107 if_bridge.c > --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.107 > +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 > @@ -2908,6 +2908,11 @@ > =A0 =A0 =A0 =A0struct ip *ip; > =A0 =A0 =A0 =A0struct llc llc1; > =A0 =A0 =A0 =A0u_int16_t ether_type; > + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; > +#ifdef IPFIREWALL_FORWARD > + =A0 =A0 =A0 struct m_tag *fwd_tag; > +#endif > + > > =A0 =A0 =A0 =A0snap =3D 0; > =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error =3D=3D= 0 */ > @@ -2967,6 +2972,7 @@ > =A0#ifdef INET6 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: > =A0#endif /* INET6 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > @@ -3024,6 +3030,30 @@ > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); > + > +#ifdef IPFIREWALL_FORWARD > + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it somew= here? > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0args.next_hop !=3D NULL&= & > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0src !=3D NULL= */) { > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACKET= _TAG_IPFORWARD, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0sizeof(struct sockaddr_in), > M_NOWAIT); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_ta= g+1), > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(stru= ct sockaddr_in)); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag); > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_hop= ->sin_addr)) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_fla= gs |=3D M_FASTFWD_OURS; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0} > +#endif > + > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0(i =3D=3D IP_FW_D= UMMYNET)) { > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Index: netinet/ip_fw2.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v > retrieving revision 1.178 > diff -u -r1.178 ip_fw2.c > --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.178 > +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 > > @@ -3446,8 +3507,10 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct soc= kaddr_in *sa; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa =3D&(((= ipfw_insn_sa *)cmd)->sa); > +#if 0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (args->= eh) =A0 /* not valid on layer2 pkts > */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0break; > +#endif > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!q || = dyn_dir =3D=3D MATCH_FORWARD) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0if (sa->sin_addr.s_addr =3D=3D > INADDR_ANY) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0bcopy(sa,&args->hopstore, > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Index: netinet/ip_output.c > > > > > --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 5 01:43:19 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E41F3106564A; Tue, 5 Oct 2010 01:43:19 +0000 (UTC) (envelope-from adrian@ucc.gu.uwa.edu.au) Received: from mail-ext-out1.uwa.edu.au (mail-ext-out1.uwa.edu.au [130.95.3.210]) by mx1.freebsd.org (Postfix) with ESMTP id 243058FC08; Tue, 5 Oct 2010 01:43:18 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAMEYqkyCX4DX/2dsb2JhbACjMb4GiGEFhUeEUw X-IronPort-AV: E=Sophos;i="4.57,281,1283702400"; d="scan'208";a="60784802" Received: from f5-float.net.uwa.edu.au (HELO mooneye.ucc.gu.uwa.edu.au) ([130.95.128.215]) by mail-ext-out1.uwa.edu.au with ESMTP/TLS/ADH-AES256-SHA; 05 Oct 2010 09:13:10 +0800 Received: by mooneye.ucc.gu.uwa.edu.au (Postfix, from userid 801) id 4636E3808D; Tue, 5 Oct 2010 09:13:10 +0800 (WST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mooneye.ucc.gu.uwa.edu.au X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=ham version=3.2.5 Received: from mussel.ucc.gu.uwa.edu.au (mussel.ucc.gu.uwa.edu.au [130.95.13.18]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mooneye.ucc.gu.uwa.edu.au (Postfix) with ESMTPS id 6618E38085; Tue, 5 Oct 2010 09:13:09 +0800 (WST) DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ucc.gu.uwa.edu.au; s=2009-536; t=1286241189; bh=t7zLMQYNCmUZhtX/6rAUtJ3HPWk=; h=Date:From:To:Cc:Subject:Message-ID:Reply-To:References: MIME-Version:Content-Type:In-Reply-To; b=tDd4/6eW7BQF7SQ7O6t6wiUEy0IBVq7uKAdKzMddvmupqj15ekPBJAOY737xzFClO zlctcxXaumMAyTb1xkfo9j2Jw== Received: from adrian by mussel.ucc.gu.uwa.edu.au with local (Exim 4.69) (envelope-from ) id 1P2w5d-0003bV-6W; Tue, 05 Oct 2010 09:13:09 +0800 Date: Tue, 5 Oct 2010 09:13:09 +0800 From: Adrian Chadd To: Julian Elischer Message-ID: <20101005011308.GC28280@ucc.gu.uwa.edu.au> References: <4CAA1E7B.1020107@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4CAA1E7B.1020107@freebsd.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Brandon Gooch , Eduardo Meyer , ipfw@freebsd.org Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: adrian@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2010 01:43:20 -0000 On Mon, Oct 04, 2010, Julian Elischer wrote: >>> -Brandon >> Yes, its still required since ipfw fwd ignores layer2 frames. >> >> The application is the very same: squid. I mean, Lusca in fact (squid fork). >> >> Thank you for your interest. > > Cisco/Ironport have a patch that does this.. > I had permission to bring it back when I worked there but never got it > committed. > > Adrian, was it part of the set I gave you? I don't recall; but I'm happy to look at merging it into -head. I was more after L3 interception than L2 interception. Adrian From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 5 19:57:00 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E94EE1065670; Tue, 5 Oct 2010 19:57:00 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3499F8FC14; Tue, 5 Oct 2010 19:56:59 +0000 (UTC) Received: by fxm9 with SMTP id 9so5225865fxm.13 for ; Tue, 05 Oct 2010 12:56:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Cc0jb7qbnlNEU17jVPsR3C2cU9cHRllpFHTsiyEsb1s=; b=yF1qGC7al14SSznfLf9V8AquSam6RTSyr82tERPEZMovzHgB92k9aW1OMgdWZDaYi3 7ztxerImWlIEjqUFqNfWGWd1F0XjxETokEo3WDHTOrIp7P4DhLyXmT8nXbD4UslG1H28 gEI2Gk5SQ9t4+53QW0YwOh8dElZCkNVFralbs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=fa/e7igxrQPUmOAKAfrP7rI5ZUvKizTVicu4TYvp+1+710AV/a1Vk61l8Irukw68v8 vli+RfbEUB5pZbNqTCSA1LGzo2b1hvtA5HNPsMWdIVItBKG6zqLuYK+Ysy4BuHg3kZwo xIXGb8qvQGbgkcn2t03di4oZLPy/3zdu3t/4E= MIME-Version: 1.0 Received: by 10.223.106.16 with SMTP id v16mr11540669fao.56.1286308618822; Tue, 05 Oct 2010 12:56:58 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Tue, 5 Oct 2010 12:56:58 -0700 (PDT) In-Reply-To: <4CAA45CC.8020304@freebsd.org> References: <4CAA1E7B.1020107@freebsd.org> <4CAA45CC.8020304@freebsd.org> Date: Tue, 5 Oct 2010 16:56:58 -0300 Message-ID: From: Eduardo Meyer To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Brandon Gooch , ipfw@freebsd.org, Adrian Chadd Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2010 19:57:01 -0000 On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer wrote: > =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >> >> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer >> =A0wrote: >>> >>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>> >>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>> =A0 =A0wrote: >>>>> >>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer >>>>> =A0wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> In the past I have used this patch by Luigi Rizzo, which helped me >>>>>> well. >>>>>> >>>>>> >>>>>> >>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/00052= 6.html >>>>>> >>>>>> I tried with a friend to port it to -STABLE, but we were not able to >>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacke= d >>>>>> to following piece of code: >>>>>> >>>>>> #ifdef IPFIREWALL_FORWARD >>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0M_FASTFWD_OURS) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD= WE MODIFY IT HERE >>>>>> */ >>>>>> =A0 =A0 =A0 =A0} >>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NU= LL) !=3D >>>>>> NULL)) >>>>>> !=3D 0) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0Th= is allows forwarding >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us = to some other >>>>>> directly >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>> =A0 =A0 =A0 =A0} >>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>> >>>>>> And this is something we are not sure if its correct. >>>>>> >>>>>> So my very obvious question is: >>>>>> >>>>>> Does anyone has a recent version of this patch to share? >>>>>> >>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>> >>>>> I'm certainly not an expert, but I wonder if the patch your referring >>>>> to is still required? Can you provide more detail about your >>>>> particular application? >>>>> >>>>> -Brandon >>>> >>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>> >>>> The application is the very same: squid. I mean, Lusca in fact (squid >>>> fork). >>>> >>>> Thank you for your interest. >>> >>> Cisco/Ironport have a patch that does this.. >>> I had permission to bring it back when I worked there but never got it >>> committed. >>> >>> Adrian, was it part of the set I gave you? >> >> Hello Elischer, >> >> Was this made public? >> >> I hope Chadd has some good news. In fact I tent to use with Lusca in >> tproxy mode. I bet this is the only missing piece of software. >> > > I just dug up my old changes. > do you want to fwd from a bridge? or what? > (it makes a difference what patches are needed) > > If you want to fwd from a bridge to make a transparent layer 2 proxy, thi= s > may help.. > > > Here are parts of it that may be relevent: > these are old (2007 I think) but may be of use still. > > adrian had the full set at > > =3D=3Dquote adrian=3D=3D=3D=3D=3D > =A0The stuff is in p4 now, but I haven't tested it out at all. > > =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. > =3D=3D end quote=3D=3D=3D > > > > > Index: net/if_bridge.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v > retrieving revision 1.107 > diff -u -r1.107 if_bridge.c > --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.107 > +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 > @@ -2908,6 +2908,11 @@ > =A0 =A0 =A0 =A0struct ip *ip; > =A0 =A0 =A0 =A0struct llc llc1; > =A0 =A0 =A0 =A0u_int16_t ether_type; > + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; > +#ifdef IPFIREWALL_FORWARD > + =A0 =A0 =A0 struct m_tag *fwd_tag; > +#endif > + > > =A0 =A0 =A0 =A0snap =3D 0; > =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error =3D=3D= 0 */ > @@ -2967,6 +2972,7 @@ > =A0#ifdef INET6 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: > =A0#endif /* INET6 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > @@ -3024,6 +3030,30 @@ > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); > + > +#ifdef IPFIREWALL_FORWARD > + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it somew= here? > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0args.next_hop !=3D NULL&= & > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0src !=3D NULL= */) { > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACKET= _TAG_IPFORWARD, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0sizeof(struct sockaddr_in), > M_NOWAIT); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_ta= g+1), > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(stru= ct sockaddr_in)); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag); > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_hop= ->sin_addr)) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_fla= gs |=3D M_FASTFWD_OURS; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0} > +#endif > + > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0(i =3D=3D IP_FW_D= UMMYNET)) { > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Index: netinet/ip_fw2.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v > retrieving revision 1.178 > diff -u -r1.178 ip_fw2.c > --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.178 > +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 > > @@ -3446,8 +3507,10 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct soc= kaddr_in *sa; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa =3D&(((= ipfw_insn_sa *)cmd)->sa); > +#if 0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (args->= eh) =A0 /* not valid on layer2 pkts > */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0break; > +#endif > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!q || = dyn_dir =3D=3D MATCH_FORWARD) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0if (sa->sin_addr.s_addr =3D=3D > INADDR_ANY) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0bcopy(sa,&args->hopstore, > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Index: netinet/ip_output.c Dear Julian, Is anything missing from the above code? Say, like ip_output stuff? I have tried what you sent me, compiled fine but did not work. Here is my only rule (I have tried both with and without layer2 on the rule= ): 00001 36 4338 fwd 127.0.0.1,80 tcp from any to not me dst-port 80 layer2 65535 32842101 2107060460 allow ip from any to any Here are the sysctl tunables: net.link.bridge.ipfw: 1 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.pfil_bridge: 1 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 0 net.link.ether.inet.log_arp_permanent_modify: 1 net.link.ether.inet.log_arp_movements: 1 net.link.ether.inet.log_arp_wrong_iface: 1 net.link.ether.inet.proxyall: 0 net.link.ether.inet.useloopback: 1 net.link.ether.inet.maxtries: 5 net.link.ether.inet.max_age: 1200 net.link.ether.ipfw: 1 And my bridge: bridge0: flags=3D8843 metric 0 mtu = 1500 ether 16:52:8e:91:2f:45 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vr0 flags=3D143 ifmaxaddr 0 port 5 priority 128 path cost 200000 member: sis0 flags=3D143 ifmaxaddr 0 port 1 priority 128 path cost 200000 The ipfw counter gets increased by nothing hits by Apache. Instead I go to Internet directly. sis0 is on internet, vr0 is cross-over to the laptop (customer). How should I debug it? --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 6 19:07:23 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38C181065670; Wed, 6 Oct 2010 19:07:23 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 30F488FC23; Wed, 6 Oct 2010 19:06:58 +0000 (UTC) Received: by fxm9 with SMTP id 9so6078440fxm.13 for ; Wed, 06 Oct 2010 12:06:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=CmI1c40hRQh+jkxTtaUT4OFT6+6JhOJvYquPC7ZRE5w=; b=kd2cUOd0cR98tk2H3aQdKNij0Py+w/SSv0HlsGkHSDJBzijze1raXXWp4fCY8sI1GN BIfmm/hnGJWlwqvFLa/Aq2LZ0ckx/fCv8PbTmORwB+psQOdfdD78KVWOi0IFb947AiFR JY6o1jHXuaO3JKfngA6R3eDcWXaUHyi3cLNas= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=oB7VsRCTrBq/2Q3diIOyvpcco0b6ZW5Tre0sBrn2Ob3FlPBujb3vttf8xs1DhmXVDG 8Lt2FuFILd7YYbDnWYBDgPu+EX9SB9QbvXV8QgGYTwvxmAvAoZz+CwSym1epRlt/Qcbr koh2Wxz31P9fJeapFzR0qj3k5ckdnDrZWrTuA= MIME-Version: 1.0 Received: by 10.223.113.5 with SMTP id y5mr1436295fap.60.1286392017387; Wed, 06 Oct 2010 12:06:57 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Wed, 6 Oct 2010 12:06:56 -0700 (PDT) In-Reply-To: <4CAB8B35.7020703@freebsd.org> References: <4CAA1E7B.1020107@freebsd.org> <4CAA45CC.8020304@freebsd.org> <4CAB8B35.7020703@freebsd.org> Date: Wed, 6 Oct 2010 16:06:56 -0300 Message-ID: From: Eduardo Meyer To: Julian Elischer , Adrian Chadd , ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Oct 2010 19:07:23 -0000 On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischer wrote: > =A0On 10/5/10 12:56 PM, Eduardo Meyer wrote: >> >> On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer >> =A0wrote: >>> >>> =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >>>> >>>> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer >>>> =A0wrote: >>>>> >>>>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>>>> >>>>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>>>> =A0 =A0 =A0wrote: >>>>>>> >>>>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer >>>>>>> =A0wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> In the past I have used this patch by Luigi Rizzo, which helped me >>>>>>>> well. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000= 526.html >>>>>>>> >>>>>>>> I tried with a friend to port it to -STABLE, but we were not able = to >>>>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty >>>>>>>> hacked >>>>>>>> to following piece of code: >>>>>>>> >>>>>>>> #ifdef IPFIREWALL_FORWARD >>>>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0 =A0M_FASTFWD_OURS) { >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOU= LD WE MODIFY IT >>>>>>>> HERE >>>>>>>> */ >>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, = NULL) !=3D >>>>>>>> NULL)) >>>>>>>> !=3D 0) { >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0= This allows >>>>>>>> forwarding >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to u= s to some other >>>>>>>> directly >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>>>> >>>>>>>> And this is something we are not sure if its correct. >>>>>>>> >>>>>>>> So my very obvious question is: >>>>>>>> >>>>>>>> Does anyone has a recent version of this patch to share? >>>>>>>> >>>>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>>>> >>>>>>> I'm certainly not an expert, but I wonder if the patch your referri= ng >>>>>>> to is still required? Can you provide more detail about your >>>>>>> particular application? >>>>>>> >>>>>>> -Brandon >>>>>> >>>>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>>>> >>>>>> The application is the very same: squid. I mean, Lusca in fact (squi= d >>>>>> fork). >>>>>> >>>>>> Thank you for your interest. >>>>> >>>>> Cisco/Ironport have a patch that does this.. >>>>> I had permission to bring it back when I worked there but never got i= t >>>>> committed. >>>>> >>>>> Adrian, was it part of the set I gave you? >>>> >>>> Hello Elischer, >>>> >>>> Was this made public? >>>> >>>> I hope Chadd has some good news. In fact I tent to use with Lusca in >>>> tproxy mode. I bet this is the only missing piece of software. >>>> >>> I just dug up my old changes. >>> do you want to fwd from a bridge? or what? >>> (it makes a difference what patches are needed) >>> >>> If you want to fwd from a bridge to make a transparent layer 2 proxy, >>> this >>> may help.. >>> >>> >>> Here are parts of it that may be relevent: >>> these are old (2007 I think) but may be of use still. >>> >>> adrian had the full set at >>> >>> =3D=3Dquote adrian=3D=3D=3D=3D=3D >>> =A0The stuff is in p4 now, but I haven't tested it out at all. >>> >>> =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. >>> =3D=3D end quote=3D=3D=3D >>> >>> >>> >>> >>> Index: net/if_bridge.c >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v >>> retrieving revision 1.107 >>> diff -u -r1.107 if_bridge.c >>> --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.107 >>> +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 >>> @@ -2908,6 +2908,11 @@ >>> =A0 =A0 =A0 =A0struct ip *ip; >>> =A0 =A0 =A0 =A0struct llc llc1; >>> =A0 =A0 =A0 =A0u_int16_t ether_type; >>> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >>> +#ifdef IPFIREWALL_FORWARD >>> + =A0 =A0 =A0 struct m_tag *fwd_tag; >>> +#endif >>> + >>> >>> =A0 =A0 =A0 =A0snap =3D 0; >>> =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error =3D= =3D 0 */ >>> @@ -2967,6 +2972,7 @@ >>> =A0#ifdef INET6 >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: >>> =A0#endif /* INET6 */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>> @@ -3024,6 +3030,30 @@ >>> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); >>> + >>> +#ifdef IPFIREWALL_FORWARD >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it som= ewhere? >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 =A0args.next_hop !=3D= NULL&& >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 =A0src != =3D NULL */) { >>> + >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACK= ET_TAG_IPFORWARD, >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0sizeof(struct sockaddr_in), >>> M_NOWAIT); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_= tag+1), >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(st= ruct sockaddr_in)); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag= ); >>> + >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_h= op->sin_addr)) >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_f= lags |=3D M_FASTFWD_OURS; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >>> +#endif >>> + >>> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0 =A0(i =3D=3D I= P_FW_DUMMYNET)) { >>> >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> Index: netinet/ip_fw2.c >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v >>> retrieving revision 1.178 >>> diff -u -r1.178 ip_fw2.c >>> --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.178 >>> +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 >>> >>> @@ -3446,8 +3507,10 @@ >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct s= ockaddr_in *sa; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa =3D&(= ((ipfw_insn_sa *)cmd)->sa); >>> +#if 0 >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (args= ->eh) =A0 /* not valid on layer2 >>> pkts >>> */ >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0break; >>> +#endif >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!q |= | dyn_dir =3D=3D MATCH_FORWARD) { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0if (sa->sin_addr.s_addr =3D=3D >>> INADDR_ANY) { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0bcopy(sa,&args->hopstore, >>> >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> Index: netinet/ip_output.c >> >> Dear Julian, >> >> Is anything missing from the above code? Say, like ip_output stuff? >> >> I have tried what you sent me, compiled fine but did not work. >> >> Here is my only rule (I have tried both with and without layer2 on the >> rule): >> >> 00001 =A0 =A0 =A0 =A036 =A0 =A0 =A0 =A04338 fwd 127.0.0.1,80 tcp from an= y to not me >> dst-port 80 layer2 >> 65535 32842101 2107060460 allow ip from any to any >> >> Here are the sysctl tunables: >> >> net.link.bridge.ipfw: 1 >> net.link.bridge.inherit_mac: 0 >> net.link.bridge.log_stp: 0 >> net.link.bridge.pfil_local_phys: 0 >> net.link.bridge.pfil_member: 0 >> net.link.bridge.pfil_bridge: 1 >> net.link.bridge.ipfw_arp: 0 >> net.link.bridge.pfil_onlyip: 0 >> net.link.ether.inet.log_arp_permanent_modify: 1 >> net.link.ether.inet.log_arp_movements: 1 >> net.link.ether.inet.log_arp_wrong_iface: 1 >> net.link.ether.inet.proxyall: 0 >> net.link.ether.inet.useloopback: 1 >> net.link.ether.inet.maxtries: 5 >> net.link.ether.inet.max_age: 1200 >> net.link.ether.ipfw: 1 >> >> And my bridge: >> >> bridge0: flags=3D8843 =A0metric = 0 mtu >> 1500 >> =A0 =A0 =A0 =A0 ether 16:52:8e:91:2f:45 >> =A0 =A0 =A0 =A0 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay= 15 >> =A0 =A0 =A0 =A0 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 >> =A0 =A0 =A0 =A0 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >> =A0 =A0 =A0 =A0 member: vr0 flags=3D143 >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 5 priority 128 path cos= t 200000 >> =A0 =A0 =A0 =A0 member: sis0 flags=3D143 >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 1 priority 128 path cos= t 200000 >> >> The ipfw counter gets increased by nothing hits by Apache. Instead I >> go to Internet directly. >> >> sis0 is on internet, vr0 is cross-over to the laptop (customer). >> >> How should I debug it? >> >> > basically I woud suggest code inspection for a start.. > > look at where ipfw is called (just before where the patch went in) and > follow the packet up into ipfw > and back, =A0and read what it would do.. > > It's actually not a very hard path to follow. > > I'll try look at it after work.. Hello Julian / Adrian. Thank you for your attention. A friend added some log entries so we could try to find out what gets run and what doesnt. Here is my current patch against RELENG_8: --- if_bridge.c.orig 2010-09-11 22:02:36.000000000 +0000 +++ if_bridge.c 2010-10-05 17:59:13.000000000 +0000 @@ -2957,6 +2957,13 @@ struct ip *ip; struct llc llc1; u_int16_t ether_type; + int is_ip =3D 0; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif + + + snap =3D 0; error =3D -1; /* Default error if not error =3D=3D 0 */ @@ -3016,6 +3023,8 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip=3D1; + log(LOG_NOTICE, "Entered 0: is_ip=3D%i\n",is_ip); break; default: /* @@ -3091,6 +3100,32 @@ if (*mp =3D=3D NULL) return (error); +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + log(LOG_NOTICE, "Entered 1"); + if (i =3D=3D 0&& args.next_hop !=3D NULL&& + is_ip /*&& src !=3D NULL */) { + log(LOG_NOTICE, "Entered 2"); + + fwd_tag =3D m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT= ); + if (fwd_tag =3D=3D NULL) + goto drop; + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop->sin_addr)) + (*mp)->m_flags |=3D M_FASTFWD_OURS; + ether_demux(src, *mp); + return (NULL); + } +#endif + + if (ip_dn_io_ptr && (i =3D=3D IP_FW_DUMMYNET)) { /* put the Ethernet header back on */ --- ../netinet/ipfw/ip_fw2.c.orig 2010-09-16 15:11:17.000000000 +0000 +++ ../netinet/ipfw/ip_fw2.c 2010-10-06 12:17:12.000000000 +0000 @@ -2059,8 +2059,14 @@ break; case O_FORWARD_IP: - if (args->eh) /* not valid on layer2 pkts= */ +#if 0 + /* not valid on layer2 pkts */ + if (args->eh) { + log(LOG_NOTICE, "ip_fw2.c Entered 1= "); break; + } + log(LOG_NOTICE, "ip_fw2.c Entered 2"); +#endif if (!q || dyn_dir =3D=3D MATCH_FORWARD) { struct sockaddr_in *sa; sa =3D &(((ipfw_insn_sa *)cmd)->sa); Please notice the log entries for debugging. When I try with the very same rule: fwd 127.0.0.1,80 tcp from any to not me dst-port 80 layer2 This is what I get on /var/log/messages: Oct 6 15:58:44 phoenix kernel: Entered 0: is_ip=3D1 Oct 6 15:59:16 phoenix last message repeated 93 times Oct 6 16:01:20 phoenix last message repeated 189 times So we never "Entered 1", never "Entered 2" nor ever entered "ip_fw2.c Entered 2"; Seem like FWD is never triggered... I don't know where to move forth. Any help is appreciated. > > --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 7 19:23:59 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEBEA106566B; Thu, 7 Oct 2010 19:23:59 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 074328FC0C; Thu, 7 Oct 2010 19:23:58 +0000 (UTC) Received: by fxm9 with SMTP id 9so195774fxm.13 for ; Thu, 07 Oct 2010 12:23:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Z3hKyNI0Vf3AjUu+8XIwjaOhxbCkmiD4kgdOa4njSHU=; b=FU8zdXGjJQ/YgcJRUdxx0xJ+0oP9rcF+dVPBsDlDUHNreWvZrnLVDmAnX43hvySRHm 58xUlEt1afKrSZLMubZY+RF0xfmFveChkhpDtcIzvkU9L7NtCnQ74ZUtzphqqCPe2KMK sKMomHQ2c9ZSkmQ5xafF2/HQlBQWwjb5WRYw0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=BFv0eHC+bZnthkO7ae2Mf+aFrrgZMBGm8vFl2ziaWWYhsrwHZKvdZxcxUml08fORza AG32XOOMl0IFXLQvO0D2rXNV25npDsarIFaHBI8kLyo6Mg/ns/DXmDtnHB+O+4HEzZWs KazMyeh+e/MvP0Q9F8ieMqtQwWh6QSdzkNhj8= MIME-Version: 1.0 Received: by 10.223.113.131 with SMTP id a3mr1803237faq.0.1286479437803; Thu, 07 Oct 2010 12:23:57 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Thu, 7 Oct 2010 12:23:57 -0700 (PDT) In-Reply-To: <4CACE7DE.9020106@freebsd.org> References: <4CAA1E7B.1020107@freebsd.org> <4CAA45CC.8020304@freebsd.org> <4CAB8B35.7020703@freebsd.org> <4CACE7DE.9020106@freebsd.org> Date: Thu, 7 Oct 2010 22:23:57 +0300 Message-ID: From: Eduardo Meyer To: Julian Elischer , ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2010 19:23:59 -0000 On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer wrote= : > =A0On 10/6/10 12:06 PM, Eduardo Meyer wrote: >> >> On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischer >> =A0wrote: >>> >>> =A0On 10/5/10 12:56 PM, Eduardo Meyer wrote: >>>> >>>> On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer >>>> =A0wrote: >>>>> >>>>> =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >>>>>> >>>>>> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer >>>>>> =A0wrote: >>>>>>> >>>>>>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>>>>>> >>>>>>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>>>>>> =A0 =A0 =A0 =A0wrote: >>>>>>>>> >>>>>>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer >>>>>>>>> =A0wrote: >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> In the past I have used this patch by Luigi Rizzo, which helped = me >>>>>>>>>> well. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/0= 00526.html >>>>>>>>>> >>>>>>>>>> I tried with a friend to port it to -STABLE, but we were not abl= e >>>>>>>>>> to >>>>>>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty >>>>>>>>>> hacked >>>>>>>>>> to following piece of code: >>>>>>>>>> >>>>>>>>>> #ifdef IPFIREWALL_FORWARD >>>>>>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0 =A0 =A0M_FASTFWD_OURS) { >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SH= OULD WE MODIFY IT >>>>>>>>>> HERE >>>>>>>>>> */ >>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD= , NULL) !=3D >>>>>>>>>> NULL)) >>>>>>>>>> !=3D 0) { >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. = =A0This allows >>>>>>>>>> forwarding >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to= us to some other >>>>>>>>>> directly >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>>>>>> >>>>>>>>>> And this is something we are not sure if its correct. >>>>>>>>>> >>>>>>>>>> So my very obvious question is: >>>>>>>>>> >>>>>>>>>> Does anyone has a recent version of this patch to share? >>>>>>>>>> >>>>>>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>>>>>> >>>>>>>>> I'm certainly not an expert, but I wonder if the patch your >>>>>>>>> referring >>>>>>>>> to is still required? Can you provide more detail about your >>>>>>>>> particular application? >>>>>>>>> >>>>>>>>> -Brandon >>>>>>>> >>>>>>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>>>>>> >>>>>>>> The application is the very same: squid. I mean, Lusca in fact >>>>>>>> (squid >>>>>>>> fork). >>>>>>>> >>>>>>>> Thank you for your interest. >>>>>>> >>>>>>> Cisco/Ironport have a patch that does this.. >>>>>>> I had permission to bring it back when I worked there but never got >>>>>>> it >>>>>>> committed. >>>>>>> >>>>>>> Adrian, was it part of the set I gave you? >>>>>> >>>>>> Hello Elischer, >>>>>> >>>>>> Was this made public? >>>>>> >>>>>> I hope Chadd has some good news. In fact I tent to use with Lusca in >>>>>> tproxy mode. I bet this is the only missing piece of software. >>>>>> >>>>> I just dug up my old changes. >>>>> do you want to fwd from a bridge? or what? >>>>> (it makes a difference what patches are needed) >>>>> >>>>> If you want to fwd from a bridge to make a transparent layer 2 proxy, >>>>> this >>>>> may help.. >>>>> >>>>> >>>>> Here are parts of it that may be relevent: >>>>> these are old (2007 I think) but may be of use still. >>>>> >>>>> adrian had the full set at >>>>> >>>>> =3D=3Dquote adrian=3D=3D=3D=3D=3D >>>>> =A0The stuff is in p4 now, but I haven't tested it out at all. >>>>> >>>>> =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. >>>>> =3D=3D end quote=3D=3D=3D >>>>> >>>>> >>>>> >>>>> >>>>> Index: net/if_bridge.c >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v >>>>> retrieving revision 1.107 >>>>> diff -u -r1.107 if_bridge.c >>>>> --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.1= 07 >>>>> +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 >>>>> @@ -2908,6 +2908,11 @@ >>>>> =A0 =A0 =A0 =A0struct ip *ip; >>>>> =A0 =A0 =A0 =A0struct llc llc1; >>>>> =A0 =A0 =A0 =A0u_int16_t ether_type; >>>>> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >>>>> +#ifdef IPFIREWALL_FORWARD >>>>> + =A0 =A0 =A0 struct m_tag *fwd_tag; >>>>> +#endif >>>>> + >>>>> >>>>> =A0 =A0 =A0 =A0snap =3D 0; >>>>> =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error = =3D=3D 0 */ >>>>> @@ -2967,6 +2972,7 @@ >>>>> =A0#ifdef INET6 >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: >>>>> =A0#endif /* INET6 */ >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>> @@ -3024,6 +3030,30 @@ >>>>> >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); >>>>> + >>>>> +#ifdef IPFIREWALL_FORWARD >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it s= omewhere? >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 =A0 =A0args.next_ho= p !=3D NULL&& >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 =A0 =A0s= rc !=3D NULL */) { >>>>> + >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PA= CKET_TAG_IPFORWARD, >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0sizeof(struct sockaddr_in), >>>>> M_NOWAIT); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto dro= p; >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fw= d_tag+1), >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(= struct sockaddr_in)); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_t= ag); >>>>> + >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next= _hop->sin_addr)) >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m= _flags |=3D M_FASTFWD_OURS; >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >>>>> +#endif >>>>> + >>>>> >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0 =A0 =A0(i = =3D=3D IP_FW_DUMMYNET)) { >>>>> >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> Index: netinet/ip_fw2.c >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v >>>>> retrieving revision 1.178 >>>>> diff -u -r1.178 ip_fw2.c >>>>> --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.1= 78 >>>>> +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 >>>>> >>>>> @@ -3446,8 +3507,10 @@ >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct= sockaddr_in *sa; >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa =3D= &(((ipfw_insn_sa *)cmd)->sa); >>>>> +#if 0 >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (ar= gs->eh) =A0 /* not valid on layer2 >>>>> pkts >>>>> */ >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0break; >>>>> +#endif >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!q= || dyn_dir =3D=3D MATCH_FORWARD) { >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0if (sa->sin_addr.s_addr =3D=3D >>>>> INADDR_ANY) { >>>>> >>>>> =A0bcopy(sa,&args->hopstore, >>>>> >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> Index: netinet/ip_output.c >>>> >>>> Dear Julian, >>>> >>>> Is anything missing from the above code? Say, like ip_output stuff? >>>> >>>> I have tried what you sent me, compiled fine but did not work. >>>> >>>> Here is my only rule (I have tried both with and without layer2 on the >>>> rule): >>>> >>>> 00001 =A0 =A0 =A0 =A036 =A0 =A0 =A0 =A04338 fwd 127.0.0.1,80 tcp from = any to not me >>>> dst-port 80 layer2 >>>> 65535 32842101 2107060460 allow ip from any to any >>>> >>>> Here are the sysctl tunables: >>>> >>>> net.link.bridge.ipfw: 1 >>>> net.link.bridge.inherit_mac: 0 >>>> net.link.bridge.log_stp: 0 >>>> net.link.bridge.pfil_local_phys: 0 >>>> net.link.bridge.pfil_member: 0 >>>> net.link.bridge.pfil_bridge: 1 >>>> net.link.bridge.ipfw_arp: 0 >>>> net.link.bridge.pfil_onlyip: 0 >>>> net.link.ether.inet.log_arp_permanent_modify: 1 >>>> net.link.ether.inet.log_arp_movements: 1 >>>> net.link.ether.inet.log_arp_wrong_iface: 1 >>>> net.link.ether.inet.proxyall: 0 >>>> net.link.ether.inet.useloopback: 1 >>>> net.link.ether.inet.maxtries: 5 >>>> net.link.ether.inet.max_age: 1200 >>>> net.link.ether.ipfw: 1 >>>> >>>> And my bridge: >>>> >>>> bridge0: flags=3D8843 =A0 =A0m= etric 0 >>>> mtu >>>> 1500 >>>> =A0 =A0 =A0 =A0 ether 16:52:8e:91:2f:45 >>>> =A0 =A0 =A0 =A0 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddel= ay 15 >>>> =A0 =A0 =A0 =A0 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 120= 0 >>>> =A0 =A0 =A0 =A0 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port= 0 >>>> =A0 =A0 =A0 =A0 member: vr0 flags=3D143 >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 5 priority 128 path c= ost 200000 >>>> =A0 =A0 =A0 =A0 member: sis0 flags=3D143 >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 1 priority 128 path c= ost 200000 >>>> >>>> The ipfw counter gets increased by nothing hits by Apache. Instead I >>>> go to Internet directly. >>>> >>>> sis0 is on internet, vr0 is cross-over to the laptop (customer). >>>> >>>> How should I debug it? >>>> >>>> >>> basically I woud suggest code inspection for a start.. >>> >>> look at where ipfw is called (just before where the patch went in) and >>> follow the packet up into ipfw >>> and back, =A0and read what it would do.. >>> >>> It's actually not a very hard path to follow. >>> >>> I'll try look at it after work.. >> >> Hello Julian / Adrian. >> >> Thank you for your attention. A friend added some log entries so we >> could try to find out what gets run and what doesnt. >> >> Here is my current patch against RELENG_8: >> >> --- if_bridge.c.orig =A0 =A02010-09-11 22:02:36.000000000 +0000 >> +++ if_bridge.c 2010-10-05 17:59:13.000000000 +0000 >> @@ -2957,6 +2957,13 @@ >> =A0 =A0 =A0 =A0 struct ip *ip; >> =A0 =A0 =A0 =A0 struct llc llc1; >> =A0 =A0 =A0 =A0 u_int16_t ether_type; >> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >> +#ifdef IPFIREWALL_FORWARD >> + =A0 =A0 =A0 struct m_tag *fwd_tag; >> +#endif >> + >> + >> + >> >> =A0 =A0 =A0 =A0 snap =3D 0; >> =A0 =A0 =A0 =A0 error =3D -1; =A0 =A0 /* Default error if not error =3D= =3D 0 */ >> @@ -3016,6 +3023,8 @@ >> =A0#ifdef INET6 >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case ETHERTYPE_IPV6: >> =A0#endif /* INET6 */ >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip=3D1; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 0= : is_ip=3D%i\n",is_ip); >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 default: >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* >> @@ -3091,6 +3100,32 @@ >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (*mp =3D=3D NULL) >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (error); >> >> +#ifdef IPFIREWALL_FORWARD >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it some= where? >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >> + =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 1"); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 args.next_hop !=3D NUL= L&& >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 src !=3D NU= LL */) { >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 2= "); >> + >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACKE= T_TAG_IPFORWARD, >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0sizeof(struct sockaddr_in), >> M_NOWAIT); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_t= ag+1), >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(str= uct sockaddr_in)); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag)= ; >> + >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_ho= p->sin_addr)) >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_fl= ags |=3D M_FASTFWD_OURS; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ether_demux(src, *mp); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >> +#endif >> + >> + >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (ip_dn_io_ptr&& =A0(i =3D=3D IP_FW_DU= MMYNET)) { >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* put the Ethernet head= er back on */ >> --- ../netinet/ipfw/ip_fw2.c.orig =A0 =A0 =A0 2010-09-16 15:11:17.000000= 000 >> +0000 >> +++ ../netinet/ipfw/ip_fw2.c =A0 =A02010-10-06 12:17:12.000000000 +0000 >> @@ -2059,8 +2059,14 @@ >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case O_FORWARD_IP: >> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args->= eh) =A0 /* not valid on layer2 >> pkts */ >> +#if 0 >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* not val= id on layer2 pkts */ >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args->= eh) { >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 log(LOG_NOTICE, "ip_fw2.c Entered >> 1"); >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 break; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NO= TICE, "ip_fw2.c Entered 2"); > > these will never happen as they are in the #if 0 =A0section. > > the #if 0 is to REMOVE that code from being compiled. > > >> +#endif Hello Julian, Thank you again for your feedback. I appreciate it very much. On my understanding this "if 0" was to really ignore this portion of code, because as I understand what is does is to break (leave the loop) if the packet is on layer2, and this is something we would not want, but I guess I am wrong. I tested now with your suggestion, and what we get is: Oct 7 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 Oct 7 15:45:16 phoenix kernel: ip_fw2.c Entered 1 Oct 7 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 Oct 7 15:45:50 phoenix last message repeated 29 times Oct 7 15:47:53 phoenix last message repeated 237 times Oct 7 15:57:56 phoenix last message repeated 1029 times Oct 7 16:02:51 phoenix last message repeated 655 times Oct 7 16:02:51 phoenix kernel: ip_fw2.c Entered 1 Oct 7 16:02:51 phoenix kernel: Entered 0: is_ip=3D1 Oct 7 16:03:23 phoenix last message repeated 54 times Oct 7 16:05:24 phoenix last message repeated 345 times Oct 7 16:15:26 phoenix last message repeated 1135 times Oct 7 16:15:33 phoenix last message repeated 8 times So yes, we entered on ipfw code now, and executed only the instruction before we "break". The curious thing is that the counter did not count now with both: 00001 0 0 fwd 127.0.0.1,80 tcp from any to not me dst-port 80 lay= er2 00001 0 0 fwd 127.0.0.1,80 tcp from any to not me dst-port 80 How can I move forth? --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 8 15:55:56 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19FE2106566C; Fri, 8 Oct 2010 15:55:56 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 491358FC1B; Fri, 8 Oct 2010 15:55:54 +0000 (UTC) Received: by fxm4 with SMTP id 4so464109fxm.13 for ; Fri, 08 Oct 2010 08:55:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Th84nTS/4xpV0Hrq/VK49Q+osy6ymO0t1vcPXiHgHj8=; b=VKl752TqFIwjVZ+9c0t0/nkquhZ2zoHbssVkT2Q1orKx+iNXThPBUYlrS4+CYOs4m9 /EqF8Gnd3bVc2ITVBJJHBNbz37mcAlgo/vy+vNnTih4fJWlax995mYOYA6NKSEKjg6KA heIhULImL0BkQ0d9FB/jw5zb+jBt4xqitk4CU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=mEVl3DeIy9qJdt4DosdxcRDihsGzBxu/BWqY9ITltUIACZLbi2ZkrOlbv6JuPIDK67 2jc+EAFjR0I4OZxEgOOTzHg38maYzXe4FrfRVZ5j/fX8UM1QhCr940VWk20iCCkJX/uc ZzCejCUAXDITnzT7P1hxaNp4EsDbZxovPp2mA= MIME-Version: 1.0 Received: by 10.223.106.8 with SMTP id v8mr3429310fao.42.1286553350375; Fri, 08 Oct 2010 08:55:50 -0700 (PDT) Received: by 10.223.35.203 with HTTP; Fri, 8 Oct 2010 08:55:49 -0700 (PDT) In-Reply-To: References: <4CAA1E7B.1020107@freebsd.org> <4CAA45CC.8020304@freebsd.org> <4CAB8B35.7020703@freebsd.org> <4CACE7DE.9020106@freebsd.org> Date: Fri, 8 Oct 2010 18:55:49 +0300 Message-ID: From: Eduardo Meyer To: Julian Elischer , ipfw@freebsd.org, Adrian Chadd , Luiz Otavio O Souza , Patrick Tracanelli Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2010 15:55:56 -0000 On Thu, Oct 7, 2010 at 10:23 PM, Eduardo Meyer wrote= : > On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer wro= te: >> =A0On 10/6/10 12:06 PM, Eduardo Meyer wrote: >>> >>> On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischer >>> =A0wrote: >>>> >>>> =A0On 10/5/10 12:56 PM, Eduardo Meyer wrote: >>>>> >>>>> On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer >>>>> =A0wrote: >>>>>> >>>>>> =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >>>>>>> >>>>>>> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer >>>>>>> =A0wrote: >>>>>>>> >>>>>>>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>>>>>>> >>>>>>>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>>>>>>> =A0 =A0 =A0 =A0wrote: >>>>>>>>>> >>>>>>>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer >>>>>>>>>> =A0wrote: >>>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> In the past I have used this patch by Luigi Rizzo, which helped= me >>>>>>>>>>> well. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/= 000526.html >>>>>>>>>>> >>>>>>>>>>> I tried with a friend to port it to -STABLE, but we were not ab= le >>>>>>>>>>> to >>>>>>>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty >>>>>>>>>>> hacked >>>>>>>>>>> to following piece of code: >>>>>>>>>>> >>>>>>>>>>> #ifdef IPFIREWALL_FORWARD >>>>>>>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0 =A0 =A0M_FASTFWD_OURS) { >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - S= HOULD WE MODIFY IT >>>>>>>>>>> HERE >>>>>>>>>>> */ >>>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWAR= D, NULL) !=3D >>>>>>>>>>> NULL)) >>>>>>>>>>> !=3D 0) { >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. = =A0This allows >>>>>>>>>>> forwarding >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined t= o us to some other >>>>>>>>>>> directly >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>>>>>>> >>>>>>>>>>> And this is something we are not sure if its correct. >>>>>>>>>>> >>>>>>>>>>> So my very obvious question is: >>>>>>>>>>> >>>>>>>>>>> Does anyone has a recent version of this patch to share? >>>>>>>>>>> >>>>>>>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>>>>>>> >>>>>>>>>> I'm certainly not an expert, but I wonder if the patch your >>>>>>>>>> referring >>>>>>>>>> to is still required? Can you provide more detail about your >>>>>>>>>> particular application? >>>>>>>>>> >>>>>>>>>> -Brandon >>>>>>>>> >>>>>>>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>>>>>>> >>>>>>>>> The application is the very same: squid. I mean, Lusca in fact >>>>>>>>> (squid >>>>>>>>> fork). >>>>>>>>> >>>>>>>>> Thank you for your interest. >>>>>>>> >>>>>>>> Cisco/Ironport have a patch that does this.. >>>>>>>> I had permission to bring it back when I worked there but never go= t >>>>>>>> it >>>>>>>> committed. >>>>>>>> >>>>>>>> Adrian, was it part of the set I gave you? >>>>>>> >>>>>>> Hello Elischer, >>>>>>> >>>>>>> Was this made public? >>>>>>> >>>>>>> I hope Chadd has some good news. In fact I tent to use with Lusca i= n >>>>>>> tproxy mode. I bet this is the only missing piece of software. >>>>>>> >>>>>> I just dug up my old changes. >>>>>> do you want to fwd from a bridge? or what? >>>>>> (it makes a difference what patches are needed) >>>>>> >>>>>> If you want to fwd from a bridge to make a transparent layer 2 proxy= , >>>>>> this >>>>>> may help.. >>>>>> >>>>>> >>>>>> Here are parts of it that may be relevent: >>>>>> these are old (2007 I think) but may be of use still. >>>>>> >>>>>> adrian had the full set at >>>>>> >>>>>> =3D=3Dquote adrian=3D=3D=3D=3D=3D >>>>>> =A0The stuff is in p4 now, but I haven't tested it out at all. >>>>>> >>>>>> =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. >>>>>> =3D=3D end quote=3D=3D=3D >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Index: net/if_bridge.c >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v >>>>>> retrieving revision 1.107 >>>>>> diff -u -r1.107 if_bridge.c >>>>>> --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.= 107 >>>>>> +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 >>>>>> @@ -2908,6 +2908,11 @@ >>>>>> =A0 =A0 =A0 =A0struct ip *ip; >>>>>> =A0 =A0 =A0 =A0struct llc llc1; >>>>>> =A0 =A0 =A0 =A0u_int16_t ether_type; >>>>>> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >>>>>> +#ifdef IPFIREWALL_FORWARD >>>>>> + =A0 =A0 =A0 struct m_tag *fwd_tag; >>>>>> +#endif >>>>>> + >>>>>> >>>>>> =A0 =A0 =A0 =A0snap =3D 0; >>>>>> =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error = =3D=3D 0 */ >>>>>> @@ -2967,6 +2972,7 @@ >>>>>> =A0#ifdef INET6 >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: >>>>>> =A0#endif /* INET6 */ >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>> @@ -3024,6 +3030,30 @@ >>>>>> >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); >>>>>> + >>>>>> +#ifdef IPFIREWALL_FORWARD >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it = somewhere? >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 =A0 =A0args.next_h= op !=3D NULL&& >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 =A0 =A0= src !=3D NULL */) { >>>>>> + >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(P= ACKET_TAG_IPFORWARD, >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0sizeof(struct sockaddr_in), >>>>>> M_NOWAIT); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL= ) >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto dr= op; >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (f= wd_tag+1), >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof= (struct sockaddr_in)); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_= tag); >>>>>> + >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.nex= t_hop->sin_addr)) >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->= m_flags |=3D M_FASTFWD_OURS; >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >>>>>> +#endif >>>>>> + >>>>>> >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0 =A0 =A0(i = =3D=3D IP_FW_DUMMYNET)) { >>>>>> >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> Index: netinet/ip_fw2.c >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v >>>>>> retrieving revision 1.178 >>>>>> diff -u -r1.178 ip_fw2.c >>>>>> --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.= 178 >>>>>> +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 >>>>>> >>>>>> @@ -3446,8 +3507,10 @@ >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struc= t sockaddr_in *sa; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa = =3D&(((ipfw_insn_sa *)cmd)->sa); >>>>>> +#if 0 >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (a= rgs->eh) =A0 /* not valid on layer2 >>>>>> pkts >>>>>> */ >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0break; >>>>>> +#endif >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!= q || dyn_dir =3D=3D MATCH_FORWARD) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0if (sa->sin_addr.s_addr =3D=3D >>>>>> INADDR_ANY) { >>>>>> >>>>>> =A0bcopy(sa,&args->hopstore, >>>>>> >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> Index: netinet/ip_output.c >>>>> >>>>> Dear Julian, >>>>> >>>>> Is anything missing from the above code? Say, like ip_output stuff? >>>>> >>>>> I have tried what you sent me, compiled fine but did not work. >>>>> >>>>> Here is my only rule (I have tried both with and without layer2 on th= e >>>>> rule): >>>>> >>>>> 00001 =A0 =A0 =A0 =A036 =A0 =A0 =A0 =A04338 fwd 127.0.0.1,80 tcp from= any to not me >>>>> dst-port 80 layer2 >>>>> 65535 32842101 2107060460 allow ip from any to any >>>>> >>>>> Here are the sysctl tunables: >>>>> >>>>> net.link.bridge.ipfw: 1 >>>>> net.link.bridge.inherit_mac: 0 >>>>> net.link.bridge.log_stp: 0 >>>>> net.link.bridge.pfil_local_phys: 0 >>>>> net.link.bridge.pfil_member: 0 >>>>> net.link.bridge.pfil_bridge: 1 >>>>> net.link.bridge.ipfw_arp: 0 >>>>> net.link.bridge.pfil_onlyip: 0 >>>>> net.link.ether.inet.log_arp_permanent_modify: 1 >>>>> net.link.ether.inet.log_arp_movements: 1 >>>>> net.link.ether.inet.log_arp_wrong_iface: 1 >>>>> net.link.ether.inet.proxyall: 0 >>>>> net.link.ether.inet.useloopback: 1 >>>>> net.link.ether.inet.maxtries: 5 >>>>> net.link.ether.inet.max_age: 1200 >>>>> net.link.ether.ipfw: 1 >>>>> >>>>> And my bridge: >>>>> >>>>> bridge0: flags=3D8843 =A0 =A0= metric 0 >>>>> mtu >>>>> 1500 >>>>> =A0 =A0 =A0 =A0 ether 16:52:8e:91:2f:45 >>>>> =A0 =A0 =A0 =A0 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwdde= lay 15 >>>>> =A0 =A0 =A0 =A0 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 12= 00 >>>>> =A0 =A0 =A0 =A0 root id 00:00:00:00:00:00 priority 32768 ifcost 0 por= t 0 >>>>> =A0 =A0 =A0 =A0 member: vr0 flags=3D143 >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 5 priority 128 path = cost 200000 >>>>> =A0 =A0 =A0 =A0 member: sis0 flags=3D143 >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 1 priority 128 path = cost 200000 >>>>> >>>>> The ipfw counter gets increased by nothing hits by Apache. Instead I >>>>> go to Internet directly. >>>>> >>>>> sis0 is on internet, vr0 is cross-over to the laptop (customer). >>>>> >>>>> How should I debug it? >>>>> >>>>> >>>> basically I woud suggest code inspection for a start.. >>>> >>>> look at where ipfw is called (just before where the patch went in) and >>>> follow the packet up into ipfw >>>> and back, =A0and read what it would do.. >>>> >>>> It's actually not a very hard path to follow. >>>> >>>> I'll try look at it after work.. >>> >>> Hello Julian / Adrian. >>> >>> Thank you for your attention. A friend added some log entries so we >>> could try to find out what gets run and what doesnt. >>> >>> Here is my current patch against RELENG_8: >>> >>> --- if_bridge.c.orig =A0 =A02010-09-11 22:02:36.000000000 +0000 >>> +++ if_bridge.c 2010-10-05 17:59:13.000000000 +0000 >>> @@ -2957,6 +2957,13 @@ >>> =A0 =A0 =A0 =A0 struct ip *ip; >>> =A0 =A0 =A0 =A0 struct llc llc1; >>> =A0 =A0 =A0 =A0 u_int16_t ether_type; >>> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >>> +#ifdef IPFIREWALL_FORWARD >>> + =A0 =A0 =A0 struct m_tag *fwd_tag; >>> +#endif >>> + >>> + >>> + >>> >>> =A0 =A0 =A0 =A0 snap =3D 0; >>> =A0 =A0 =A0 =A0 error =3D -1; =A0 =A0 /* Default error if not error =3D= =3D 0 */ >>> @@ -3016,6 +3023,8 @@ >>> =A0#ifdef INET6 >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case ETHERTYPE_IPV6: >>> =A0#endif /* INET6 */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip=3D1; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered = 0: is_ip=3D%i\n",is_ip); >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 default: >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* >>> @@ -3091,6 +3100,32 @@ >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (*mp =3D=3D NULL) >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (error); >>> >>> +#ifdef IPFIREWALL_FORWARD >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it som= ewhere? >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 1"); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 args.next_hop !=3D NU= LL&& >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 src !=3D N= ULL */) { >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered = 2"); >>> + >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACK= ET_TAG_IPFORWARD, >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0sizeof(struct sockaddr_in), >>> M_NOWAIT); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_= tag+1), >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(st= ruct sockaddr_in)); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag= ); >>> + >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_h= op->sin_addr)) >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_f= lags |=3D M_FASTFWD_OURS; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ether_demux(src, *mp); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >>> +#endif >>> + >>> + >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (ip_dn_io_ptr&& =A0(i =3D=3D IP_FW_D= UMMYNET)) { >>> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* put the Ethernet hea= der back on */ >>> --- ../netinet/ipfw/ip_fw2.c.orig =A0 =A0 =A0 2010-09-16 15:11:17.00000= 0000 >>> +0000 >>> +++ ../netinet/ipfw/ip_fw2.c =A0 =A02010-10-06 12:17:12.000000000 +0000 >>> @@ -2059,8 +2059,14 @@ >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >>> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case O_FORWARD_IP: >>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args-= >eh) =A0 /* not valid on layer2 >>> pkts */ >>> +#if 0 >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* not va= lid on layer2 pkts */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args-= >eh) { >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 log(LOG_NOTICE, "ip_fw2.c Entered >>> 1"); >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 break; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_N= OTICE, "ip_fw2.c Entered 2"); >> >> these will never happen as they are in the #if 0 =A0section. >> >> the #if 0 is to REMOVE that code from being compiled. >> >> >>> +#endif > > Hello Julian, > > Thank you again for your feedback. I appreciate it very much. > > On my understanding this "if 0" was to really ignore this portion of > code, because as I understand what is does is to break (leave the > loop) if the packet is on layer2, and this is something we would not > want, but I guess I am wrong. > > I tested now with your suggestion, and what we get is: > > Oct =A07 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 > Oct =A07 15:45:16 phoenix kernel: ip_fw2.c Entered 1 > Oct =A07 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 > Oct =A07 15:45:50 phoenix last message repeated 29 times > Oct =A07 15:47:53 phoenix last message repeated 237 times > Oct =A07 15:57:56 phoenix last message repeated 1029 times > Oct =A07 16:02:51 phoenix last message repeated 655 times > Oct =A07 16:02:51 phoenix kernel: ip_fw2.c Entered 1 > Oct =A07 16:02:51 phoenix kernel: Entered 0: is_ip=3D1 > Oct =A07 16:03:23 phoenix last message repeated 54 times > Oct =A07 16:05:24 phoenix last message repeated 345 times > Oct =A07 16:15:26 phoenix last message repeated 1135 times > Oct =A07 16:15:33 phoenix last message repeated 8 times > > So yes, we entered on ipfw code now, and executed only the instruction > before we "break". > > The curious thing is that the counter did not count now with both: > > 00001 =A0 =A0 0 =A0 =A0 =A0 0 fwd 127.0.0.1,80 tcp from any to not me dst= -port 80 layer2 > 00001 =A0 =A0 0 =A0 =A0 =A0 0 fwd 127.0.0.1,80 tcp from any to not me dst= -port 80 > > How can I move forth? Hello, I am glad to tell you that some helped me out and we made it work. In fact two friends called Luiz Otavio (he has helped on IP_BINDANY before, on lusca's tproxy support) and Patrick Tracanelli sorted out the missing piece of code and shown up with this patch: Index: netinet/ipfw/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- netinet/ipfw/ip_fw2.c (revision 213573) +++ netinet/ipfw/ip_fw2.c (working copy) @@ -2059,8 +2059,10 @@ break; case O_FORWARD_IP: +#if 0 if (args->eh) /* not valid on layer2 pkts */ break; +#endif if (!q || dyn_dir =3D=3D MATCH_FORWARD) { struct sockaddr_in *sa; sa =3D &(((ipfw_insn_sa *)cmd)->sa); Index: net/if_bridge.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- net/if_bridge.c (revision 213573) +++ net/if_bridge.c (working copy) @@ -79,6 +79,7 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipfw.h" #include #include @@ -2951,14 +2952,18 @@ static int bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int d= ir) { - int snap, error, i, hlen; + int snap, error, i, is_ip, hlen; struct ether_header *eh1, eh2; struct ip_fw_args args; struct ip *ip; struct llc llc1; u_int16_t ether_type; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif snap =3D 0; + is_ip =3D 0; error =3D -1; /* Default error if not error =3D=3D 0 */ #if 0 @@ -3016,6 +3021,7 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip =3D 1; break; default: /* @@ -3091,6 +3097,46 @@ if (*mp =3D=3D NULL) return (error); +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + if (i =3D=3D 0 && args.next_hop !=3D NULL && is_ip) { + + fwd_tag =3D m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT); + if (fwd_tag =3D=3D NULL) + return (error); + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop->sin_addr)) + (*mp)->m_flags |=3D M_FASTFWD_OURS; + + /* + * Put everything back the way it was and reinject the + * packet. + */ + if (snap) { + M_PREPEND(*mp, sizeof(struct llc), M_DONTWAIT); + if (*mp =3D=3D NULL) + return (error); + bcopy(&llc1, mtod(*mp, caddr_t), + sizeof(struct llc)); + } + + M_PREPEND(*mp, ETHER_HDR_LEN, M_DONTWAIT); + if (*mp =3D=3D NULL) + return (error); + bcopy(&eh2, mtod(*mp, caddr_t), ETHER_HDR_LEN); + + ether_demux(ifp, *mp); + return (error); + } +#endif + if (ip_dn_io_ptr && (i =3D=3D IP_FW_DUMMYNET)) { /* put the Ethernet header back on */ Luiz has added it to: http://loos.no-ip.org:280/lusca_bridge.diff I have tested and it works pretty well. I hope someone can add it to -HEAD, so we won't loose it again. With time, ipfw code changes and such great patches like Rizzo's and Julian's stop working one day. It's bad we miss such great functionality. Thank you again everyone envolved. Adrian / Luiz / Julian, With this patch fwd does it's job on L2, ordinary proxy works like a charm. But TPROXY won't work. It would be perfect to have both features together. If you can suggest any further tests or changes I will be pleased to test. Thanks. --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 8 18:02:03 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B073C106566B for ; Fri, 8 Oct 2010 18:02:03 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 3EDC98FC17 for ; Fri, 8 Oct 2010 18:02:02 +0000 (UTC) Received: by wwb31 with SMTP id 31so1338232wwb.31 for ; Fri, 08 Oct 2010 11:02:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=S3sktwCZunWvieYkPzIAoTqij9hsdzFPwe9UOj+DmAk=; b=evroWDnqI06kD9zyXwetElDPmzK246zqzw7ZT5CQJYmGvP1FKOwiJ0K5nQGgQSxL4U HC/qam9vcDpfGEYuN8K1DzOQtrhS8K1U1XXjhdf1Na6GopK5IdZs7xRWB/4tFkmypUrx UymfVSf4mVaCnZ72RVm1irQbUOAAw/GEWdAwo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=JQz3c/LlBcZESdXj+LmsuPRDdAGPa2h7IyG+hHD2DlbzQYIa4cPbeh3HJflpxwXdnJ qux4gvF4D2q4ld/P9eQxOCYrS11JkNuaR+9G2QV7UHvWkPN87NUMAQrNNLbK0WKsLE0m M0WifvOn8TH4NiXNJ/Dds/7USdhd1okBVaGWM= MIME-Version: 1.0 Received: by 10.216.173.70 with SMTP id u48mr931168wel.59.1286560921175; Fri, 08 Oct 2010 11:02:01 -0700 (PDT) Received: by 10.216.133.133 with HTTP; Fri, 8 Oct 2010 11:02:01 -0700 (PDT) In-Reply-To: References: <4CAA1E7B.1020107@freebsd.org> <4CAA45CC.8020304@freebsd.org> <4CAB8B35.7020703@freebsd.org> <4CACE7DE.9020106@freebsd.org> Date: Fri, 8 Oct 2010 13:02:01 -0500 Message-ID: From: Brandon Gooch To: Eduardo Meyer Content-Type: text/plain; charset=ISO-8859-1 Cc: Patrick Tracanelli , Luiz Otavio O Souza , ipfw@freebsd.org, Julian Elischer , Adrian Chadd Subject: Re: layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2010 18:02:03 -0000 On Fri, Oct 8, 2010 at 10:55 AM, Eduardo Meyer wrote: > On Thu, Oct 7, 2010 at 10:23 PM, Eduardo Meyer wrote: [SNIP] > Luiz has added it to: http://loos.no-ip.org:280/lusca_bridge.diff > > I have tested and it works pretty well. > > I hope someone can add it to -HEAD, so we won't loose it again. With > time, ipfw code changes and such great patches like Rizzo's and > Julian's stop working one day. It's bad we miss such great > functionality. Sounds like a reasonable request. I hope it is considered. > Thank you again everyone envolved. Thanks goes to you for your persistence in getting this working. > Adrian / Luiz / Julian, > > With this patch fwd does it's job on L2, ordinary proxy works like a > charm. But TPROXY won't work. It would be perfect to have both > features together. If you can suggest any further tests or changes I > will be pleased to test. To be clear, are we getting to the point of having the capability in ipfw of doing something like this in pf: ... pass in quick on $INT_IF route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state ... ...thus allowing true, transparent proxying? I really thought that this was possible already with ipfw :( I need to do some more reading... I would be very interested in obtaining details on your final setup, once everything is in place and fully functioning :) -Brandon