Date: Thu, 27 Dec 2001 01:27:10 -0800 (PST) From: Julian Elischer <julian@elischer.org> To: Henry Su <henrysu@nttmcl.com> Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel Message-ID: <Pine.BSF.4.21.0112270120520.85465-100000@InterJet.elischer.org> In-Reply-To: <Pine.BSI.4.05L.10112270057590.20316-100000@alicia.nttmcl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Dec 2001, Henry Su wrote: > Yes, it works: > > [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 12334 > > HTTP/1.1 302 Moved > Date: Thu, 27 Dec 2001 00:53:18 PST > Location: https://216.69.69.254/cgi-bin/login > 0 > > > Connection closed by foreign host. > > > I found the problem is that the ipfw forwarding does not change the dst ip > address, so that my redirection socket server can not read these > fwd packet (since the dst ip is not correct). The solution can be change > the ip_fw.c to modify dst ip address for the forwarding packet, but I do > not know how to do it. It has next_hop for fwd. I do not know how to do > packet manupunation in ip_fw.c's chk func. You don't need to change the dest addr in the proxy server.. that's what fwd does, it FORCES the local socket to accept a packet to a foreign address. (believe it or not) I have a small patch that may help, but first, please draw your setup... which rules do you have on which machines? I've done this many times if it's not working it's because I do not understand your network correctly if on the server, you telnet to port 80 of the address in the forward rule in the ipfw list on your server (you need to have rules on both machines obviously) you should see your telnet redirected to port 8800 of the local machine, even if the address in the rule set is not a local address. please draw your network and I will give you a set of rules that work. julian > > Thanks a lot. > > > > ************** > Henry Su * > NTT MCL * > ************** > > On Wed, 26 Dec 2001, Julian Elischer wrote: > > > > > > > is your server binding to 216.115.102.75? > > if you telnet to 127.0.0.1 does it work? > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > Thanks a lot for your help. > > > > > > I add "log" into the rule, here's the log info. It seems it does forward or > > > divert to localhost at port 8800. > > > > > > [18:10:13][root@test2:/var/log]$ tail -f security > > > Dec 26 17:50:34 test2 last message repeated 2 times > > > Dec 26 17:51:34 test2 last message repeated 6 times > > > Dec 26 17:51:52 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1037 216.115.102.75:80 in via dc2 > > > Dec 26 17:51:52 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > > Dec 26 17:59:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > > Dec 26 17:59:55 test2 last message repeated 7 times > > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1042 216.115.102.77:80 in via dc2 > > > Dec 26 18:00:45 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > > Dec 26 18:12:14 test2 last message repeated 7 times > > > Dec 26 18:12:38 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > > Dec 26 18:13:10 test2 last message repeated 7 times > > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1050 216.115.102.77:80 in via dc2 > > > > > > > > > But my redirection server at port 8800 did not recv these packets somehow. I > > > tried a telnet to the server at port 8800, it works very well. > > > > > > [18:16:00][henrysu@test1:~]$ telnet 216.69.69.254 8800 > > > Trying 216.69.69.254... > > > Connected to dhcp254.nttmcl.com. > > > Escape character is '^]'. > > > 1234 > > > > > > HTTP/1.1 302 Moved > > > Date: Wed, 26 Dec 2001 18:15:11 PST > > > Location: https://216.69.69.254/cgi-bin/login > > > 0 > > > > > > > > > Connection closed by foreign host. > > > > > > > > > Do you have any clue, why the packet can not be received at port 8800. > > > > > > > > > Thanks. > > > > > > -----Original Message----- > > > From: owner-freebsd-net@FreeBSD.ORG > > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > > > Sent: Wednesday, December 26, 2001 4:08 PM > > > To: Henry Su > > > Cc: freebsd-net@FreeBSD.ORG > > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > > > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > > > I tried your answer 1. It did not succeed. > > > > > > > > I have a rule to do forwarding: > > > > > > > > 65534 0 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > > > > > > > and I have a server listenning on port 8800 at local host. > > > > > > > > I also modified the ip_fw.c to log forwarding packet: > > > > > > > > Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 > > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > > Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 > > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > > > > why not just add a log entry to the rule? > > > also your rule should be a lot more specific about where the packets > > > should be coming from, > > > > > > e.g. recv in fxp0 > > > (or similar) > > > > > > what do you get if you telnet to 80 and telnet to 8800? > > > they should act the same. > > > > > > ipfw add 65534 fwd 127.0.0.1,8800 log from any to me 80 in recv fxp0 > > > > > > > > > > > > > > > > > > > > > My redirect server on port 8800 works perfect, I tried telnet, http etc on > > > > 8800, it all works. I run my server @ port 8800 in debug mode, it did not > > > > receive forwarded packet from ipfirewall. > > > > > > how are you forwarding the packet? > > > > > > > > > > > I am running 4.5 prerelease, with ipfw and bridge, the bridge code had > > > > problem earlier, I manully fixed according to the message from the group. > > > > > > > > Thanks. > > > > > > > > -----Original Message----- > > > > From: owner-freebsd-net@FreeBSD.ORG > > > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > > > > Sent: Thursday, December 20, 2001 3:08 PM > > > > To: Henry Su > > > > Cc: freebsd-net@FreeBSD.ORG > > > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > > > > > > > I have two answers: > > > > > > > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > > > > to make the packet that is denied go to a default server listenning on > > > > port 8001 > > > > > > > > 2/ there is an in-kernel webserver built using netgraph but it's not > > > > public, but you can definitly use the 'ksocket' node to open 'in kernel' > > > > sockets and pass the result to an arbitrary node. > > > > > > > > > > > > 1 can do what you want with no kernel programming.. > > > > check it out.. > > > > > > > > man ipfw > > > > > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > > > > > Thanks, Julian and Alfred. > > > > > > > > > > I am trying to redirect the denied http request to a default web site. > > > So > > > > my > > > > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > > > > it > > > > > will drop the packet. But as you pointed out in earlier email, socket > > > can > > > > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > > > > > > > > > > > > > * Finally, drop the packet. > > > > > */ > > > > > > > > > > > > > > > /* my code start debug */ > > > > > /* find if it's a http packet */ > > > > > dst_port_h = ntohs(dst_port); > > > > > if(dst_port_h==80){ > > > > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > > > > dst_ip:%u", > > > > > ntohs(src_port), src_ip.s_addr, nt > > > > > ohs(dst_port), dst_ip.s_addr); > > > > > /*s = 1;*/ > > > > > s = socket(AF_INET, SOCK_STREAM, 0); > > > > > if (s < 0) { > > > > > log(LOG_INFO,"Redirect socket can not be > > > > created"); > > > > > }else{ > > > > > log(LOG_INFO,"Redirect socket is created"); > > > > > /* > > > > > bzero(&sa, sizeof sa); > > > > > sa.sin_family = AF_INET; > > > > > sa.sin_port = src_port; > > > > > sa.sin_addr.s_addr = src_ip.s_addr; > > > > > if (connect(s, (struct sockaddr *)&sa, sizeof > > > sa) > > > > < > > > > > 0) { > > > > > log(LOG_INFO,"connect %d failed", > > > > > src_ip.s_addr); > > > > > close(s); > > > > > }else{ > > > > > log(LOG_INFO,"connect %d ok", > > > > > src_ip.s_addr); > > > > > close(s); > > > > > } > > > > > */ > > > > > /* > > > > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > > > > write(1, buffer, bytes); > > > > > */ > > > > > } > > > > > } > > > > > /* end debug */ > > > > > return(IP_FW_PORT_DENY_FLAG); > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Julian Elischer [mailto:julian@elischer.org] > > > > > Sent: Thursday, December 20, 2001 12:59 PM > > > > > To: Henry Su > > > > > Cc: freebsd-net@FreeBSD.ORG > > > > > Subject: Re: socket call in the kernel > > > > > > > > > > > > > > > > > > > > > > > > > You cannot do a socket directly but you can indirectly > > > > > tell me what you are trying to do and I can help.. > > > > > > > > > > > > > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > > > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > > > > add > > > > > a > > > > > > socket call in the code, it can be compiled, but when it runs into the > > > > > code, > > > > > > it just crashed. It gave me the "Fatal trap error 12", Memory address > > > is > > > > > > wrong. > > > > > > > > > > > > Can any one tell me if socket call can be used in kernel level? If > > > not, > > > > > how > > > > > > can I accomplish socket communication in the kernel level? > > > > > > > > > > > > Thanks. > > > > > > > > > > > > ------------------------------------------------ > > > > > > > > > > > > Henry Su > > > > > > > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > > > > > > > Tel: +1 650 833 3652 > > > > > > > > > > > > Fax: +1 650 326 1878 > > > > > > > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112270120520.85465-100000>