Date: Fri, 8 Oct 2010 18:55:49 +0300 From: Eduardo Meyer <dudu.meyer@gmail.com> To: Julian Elischer <julian@freebsd.org>, ipfw@freebsd.org, Adrian Chadd <adrian@ucc.gu.uwa.edu.au>, Luiz Otavio O Souza <lists.br@gmail.com>, Patrick Tracanelli <eksffa@freebsdbrasil.com.br> Subject: Re: layer2 ipfw 'fwd' support Message-ID: <AANLkTi=syThdw-%2B%2BKAbVdJLGrh2JEFUJi5ztKs9cxWFE@mail.gmail.com> In-Reply-To: <AANLkTik2KEYACzjfTS%2BXpB3OiaJL-uYckbLbf2C0DWaS@mail.gmail.com> References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com> <AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com> <AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com> <4CAA1E7B.1020107@freebsd.org> <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B@mail.gmail.com> <4CAA45CC.8020304@freebsd.org> <AANLkTikAd_fke1HfMgRy3h4fXpo7_DcX3E4%2BTu__3my8@mail.gmail.com> <4CAB8B35.7020703@freebsd.org> <AANLkTi=hoe%2BCaV6%2BbyagXYwzDRAHqCseh-M_44OxEeJO@mail.gmail.com> <4CACE7DE.9020106@freebsd.org> <AANLkTik2KEYACzjfTS%2BXpB3OiaJL-uYckbLbf2C0DWaS@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 7, 2010 at 10:23 PM, Eduardo Meyer <dudu.meyer@gmail.com> wrote= : > On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer <julian@freebsd.org> wro= te: >> =A0On 10/6/10 12:06 PM, Eduardo Meyer wrote: >>> >>> On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischer<julian@freebsd.org> >>> =A0wrote: >>>> >>>> =A0On 10/5/10 12:56 PM, Eduardo Meyer wrote: >>>>> >>>>> On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer<julian@freebsd.org> >>>>> =A0wrote: >>>>>> >>>>>> =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >>>>>>> >>>>>>> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer<julian@freebsd.org> >>>>>>> =A0wrote: >>>>>>>> >>>>>>>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>>>>>>> >>>>>>>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>>>>>>> <jamesbrandongooch@gmail.com> =A0 =A0 =A0 =A0wrote: >>>>>>>>>> >>>>>>>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<dudu.meyer@gmail.c= om> >>>>>>>>>> =A0wrote: >>>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> In the past I have used this patch by Luigi Rizzo, which helped= me >>>>>>>>>>> well. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/= 000526.html >>>>>>>>>>> >>>>>>>>>>> I tried with a friend to port it to -STABLE, but we were not ab= le >>>>>>>>>>> to >>>>>>>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty >>>>>>>>>>> hacked >>>>>>>>>>> to following piece of code: >>>>>>>>>>> >>>>>>>>>>> #ifdef IPFIREWALL_FORWARD >>>>>>>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0 =A0 =A0M_FASTFWD_OURS) { >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - S= HOULD WE MODIFY IT >>>>>>>>>>> HERE >>>>>>>>>>> */ >>>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWAR= D, NULL) !=3D >>>>>>>>>>> NULL)) >>>>>>>>>>> !=3D 0) { >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. = =A0This allows >>>>>>>>>>> forwarding >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined t= o us to some other >>>>>>>>>>> directly >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>>>>>>> >>>>>>>>>>> And this is something we are not sure if its correct. >>>>>>>>>>> >>>>>>>>>>> So my very obvious question is: >>>>>>>>>>> >>>>>>>>>>> Does anyone has a recent version of this patch to share? >>>>>>>>>>> >>>>>>>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>>>>>>> >>>>>>>>>> I'm certainly not an expert, but I wonder if the patch your >>>>>>>>>> referring >>>>>>>>>> to is still required? Can you provide more detail about your >>>>>>>>>> particular application? >>>>>>>>>> >>>>>>>>>> -Brandon >>>>>>>>> >>>>>>>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>>>>>>> >>>>>>>>> The application is the very same: squid. I mean, Lusca in fact >>>>>>>>> (squid >>>>>>>>> fork). >>>>>>>>> >>>>>>>>> Thank you for your interest. >>>>>>>> >>>>>>>> Cisco/Ironport have a patch that does this.. >>>>>>>> I had permission to bring it back when I worked there but never go= t >>>>>>>> it >>>>>>>> committed. >>>>>>>> >>>>>>>> Adrian, was it part of the set I gave you? >>>>>>> >>>>>>> Hello Elischer, >>>>>>> >>>>>>> Was this made public? >>>>>>> >>>>>>> I hope Chadd has some good news. In fact I tent to use with Lusca i= n >>>>>>> tproxy mode. I bet this is the only missing piece of software. >>>>>>> >>>>>> I just dug up my old changes. >>>>>> do you want to fwd from a bridge? or what? >>>>>> (it makes a difference what patches are needed) >>>>>> >>>>>> If you want to fwd from a bridge to make a transparent layer 2 proxy= , >>>>>> this >>>>>> may help.. >>>>>> >>>>>> >>>>>> Here are parts of it that may be relevent: >>>>>> these are old (2007 I think) but may be of use still. >>>>>> >>>>>> adrian had the full set at >>>>>> >>>>>> =3D=3Dquote adrian=3D=3D=3D=3D=3D >>>>>> =A0The stuff is in p4 now, but I haven't tested it out at all. >>>>>> >>>>>> =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. >>>>>> =3D=3D end quote=3D=3D=3D >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Index: net/if_bridge.c >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v >>>>>> retrieving revision 1.107 >>>>>> diff -u -r1.107 if_bridge.c >>>>>> --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.= 107 >>>>>> +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 >>>>>> @@ -2908,6 +2908,11 @@ >>>>>> =A0 =A0 =A0 =A0struct ip *ip; >>>>>> =A0 =A0 =A0 =A0struct llc llc1; >>>>>> =A0 =A0 =A0 =A0u_int16_t ether_type; >>>>>> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >>>>>> +#ifdef IPFIREWALL_FORWARD >>>>>> + =A0 =A0 =A0 struct m_tag *fwd_tag; >>>>>> +#endif >>>>>> + >>>>>> >>>>>> =A0 =A0 =A0 =A0snap =3D 0; >>>>>> =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error = =3D=3D 0 */ >>>>>> @@ -2967,6 +2972,7 @@ >>>>>> =A0#ifdef INET6 >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: >>>>>> =A0#endif /* INET6 */ >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>> @@ -3024,6 +3030,30 @@ >>>>>> >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); >>>>>> + >>>>>> +#ifdef IPFIREWALL_FORWARD >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it = somewhere? >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 =A0 =A0args.next_h= op !=3D NULL&& >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 =A0 =A0= src !=3D NULL */) { >>>>>> + >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(P= ACKET_TAG_IPFORWARD, >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0sizeof(struct sockaddr_in), >>>>>> M_NOWAIT); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL= ) >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto dr= op; >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (f= wd_tag+1), >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof= (struct sockaddr_in)); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_= tag); >>>>>> + >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.nex= t_hop->sin_addr)) >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->= m_flags |=3D M_FASTFWD_OURS; >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >>>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >>>>>> +#endif >>>>>> + >>>>>> >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0 =A0 =A0(i = =3D=3D IP_FW_DUMMYNET)) { >>>>>> >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> Index: netinet/ip_fw2.c >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v >>>>>> retrieving revision 1.178 >>>>>> diff -u -r1.178 ip_fw2.c >>>>>> --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.= 178 >>>>>> +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 >>>>>> >>>>>> @@ -3446,8 +3507,10 @@ >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struc= t sockaddr_in *sa; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa = =3D&(((ipfw_insn_sa *)cmd)->sa); >>>>>> +#if 0 >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (a= rgs->eh) =A0 /* not valid on layer2 >>>>>> pkts >>>>>> */ >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0break; >>>>>> +#endif >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!= q || dyn_dir =3D=3D MATCH_FORWARD) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0if (sa->sin_addr.s_addr =3D=3D >>>>>> INADDR_ANY) { >>>>>> >>>>>> =A0bcopy(sa,&args->hopstore, >>>>>> >>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>>> Index: netinet/ip_output.c >>>>> >>>>> Dear Julian, >>>>> >>>>> Is anything missing from the above code? Say, like ip_output stuff? >>>>> >>>>> I have tried what you sent me, compiled fine but did not work. >>>>> >>>>> Here is my only rule (I have tried both with and without layer2 on th= e >>>>> rule): >>>>> >>>>> 00001 =A0 =A0 =A0 =A036 =A0 =A0 =A0 =A04338 fwd 127.0.0.1,80 tcp from= any to not me >>>>> dst-port 80 layer2 >>>>> 65535 32842101 2107060460 allow ip from any to any >>>>> >>>>> Here are the sysctl tunables: >>>>> >>>>> net.link.bridge.ipfw: 1 >>>>> net.link.bridge.inherit_mac: 0 >>>>> net.link.bridge.log_stp: 0 >>>>> net.link.bridge.pfil_local_phys: 0 >>>>> net.link.bridge.pfil_member: 0 >>>>> net.link.bridge.pfil_bridge: 1 >>>>> net.link.bridge.ipfw_arp: 0 >>>>> net.link.bridge.pfil_onlyip: 0 >>>>> net.link.ether.inet.log_arp_permanent_modify: 1 >>>>> net.link.ether.inet.log_arp_movements: 1 >>>>> net.link.ether.inet.log_arp_wrong_iface: 1 >>>>> net.link.ether.inet.proxyall: 0 >>>>> net.link.ether.inet.useloopback: 1 >>>>> net.link.ether.inet.maxtries: 5 >>>>> net.link.ether.inet.max_age: 1200 >>>>> net.link.ether.ipfw: 1 >>>>> >>>>> And my bridge: >>>>> >>>>> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> =A0 =A0= metric 0 >>>>> mtu >>>>> 1500 >>>>> =A0 =A0 =A0 =A0 ether 16:52:8e:91:2f:45 >>>>> =A0 =A0 =A0 =A0 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwdde= lay 15 >>>>> =A0 =A0 =A0 =A0 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 12= 00 >>>>> =A0 =A0 =A0 =A0 root id 00:00:00:00:00:00 priority 32768 ifcost 0 por= t 0 >>>>> =A0 =A0 =A0 =A0 member: vr0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AU= TOPTP> >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 5 priority 128 path = cost 200000 >>>>> =A0 =A0 =A0 =A0 member: sis0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,A= UTOPTP> >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 1 priority 128 path = cost 200000 >>>>> >>>>> The ipfw counter gets increased by nothing hits by Apache. Instead I >>>>> go to Internet directly. >>>>> >>>>> sis0 is on internet, vr0 is cross-over to the laptop (customer). >>>>> >>>>> How should I debug it? >>>>> >>>>> >>>> basically I woud suggest code inspection for a start.. >>>> >>>> look at where ipfw is called (just before where the patch went in) and >>>> follow the packet up into ipfw >>>> and back, =A0and read what it would do.. >>>> >>>> It's actually not a very hard path to follow. >>>> >>>> I'll try look at it after work.. >>> >>> Hello Julian / Adrian. >>> >>> Thank you for your attention. A friend added some log entries so we >>> could try to find out what gets run and what doesnt. >>> >>> Here is my current patch against RELENG_8: >>> >>> --- if_bridge.c.orig =A0 =A02010-09-11 22:02:36.000000000 +0000 >>> +++ if_bridge.c 2010-10-05 17:59:13.000000000 +0000 >>> @@ -2957,6 +2957,13 @@ >>> =A0 =A0 =A0 =A0 struct ip *ip; >>> =A0 =A0 =A0 =A0 struct llc llc1; >>> =A0 =A0 =A0 =A0 u_int16_t ether_type; >>> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >>> +#ifdef IPFIREWALL_FORWARD >>> + =A0 =A0 =A0 struct m_tag *fwd_tag; >>> +#endif >>> + >>> + >>> + >>> >>> =A0 =A0 =A0 =A0 snap =3D 0; >>> =A0 =A0 =A0 =A0 error =3D -1; =A0 =A0 /* Default error if not error =3D= =3D 0 */ >>> @@ -3016,6 +3023,8 @@ >>> =A0#ifdef INET6 >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case ETHERTYPE_IPV6: >>> =A0#endif /* INET6 */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip=3D1; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered = 0: is_ip=3D%i\n",is_ip); >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 default: >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* >>> @@ -3091,6 +3100,32 @@ >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (*mp =3D=3D NULL) >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (error); >>> >>> +#ifdef IPFIREWALL_FORWARD >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it som= ewhere? >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 1"); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 args.next_hop !=3D NU= LL&& >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 src !=3D N= ULL */) { >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered = 2"); >>> + >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACK= ET_TAG_IPFORWARD, >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0sizeof(struct sockaddr_in), >>> M_NOWAIT); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_= tag+1), >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(st= ruct sockaddr_in)); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag= ); >>> + >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_h= op->sin_addr)) >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_f= lags |=3D M_FASTFWD_OURS; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ether_demux(src, *mp); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >>> +#endif >>> + >>> + >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (ip_dn_io_ptr&& =A0(i =3D=3D IP_FW_D= UMMYNET)) { >>> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* put the Ethernet hea= der back on */ >>> --- ../netinet/ipfw/ip_fw2.c.orig =A0 =A0 =A0 2010-09-16 15:11:17.00000= 0000 >>> +0000 >>> +++ ../netinet/ipfw/ip_fw2.c =A0 =A02010-10-06 12:17:12.000000000 +0000 >>> @@ -2059,8 +2059,14 @@ >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >>> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case O_FORWARD_IP: >>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args-= >eh) =A0 /* not valid on layer2 >>> pkts */ >>> +#if 0 >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* not va= lid on layer2 pkts */ >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args-= >eh) { >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 log(LOG_NOTICE, "ip_fw2.c Entered >>> 1"); >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 break; >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } >>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_N= OTICE, "ip_fw2.c Entered 2"); >> >> these will never happen as they are in the #if 0 =A0section. >> >> the #if 0 is to REMOVE that code from being compiled. >> >> >>> +#endif > > Hello Julian, > > Thank you again for your feedback. I appreciate it very much. > > On my understanding this "if 0" was to really ignore this portion of > code, because as I understand what is does is to break (leave the > loop) if the packet is on layer2, and this is something we would not > want, but I guess I am wrong. > > I tested now with your suggestion, and what we get is: > > Oct =A07 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 > Oct =A07 15:45:16 phoenix kernel: ip_fw2.c Entered 1 > Oct =A07 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 > Oct =A07 15:45:50 phoenix last message repeated 29 times > Oct =A07 15:47:53 phoenix last message repeated 237 times > Oct =A07 15:57:56 phoenix last message repeated 1029 times > Oct =A07 16:02:51 phoenix last message repeated 655 times > Oct =A07 16:02:51 phoenix kernel: ip_fw2.c Entered 1 > Oct =A07 16:02:51 phoenix kernel: Entered 0: is_ip=3D1 > Oct =A07 16:03:23 phoenix last message repeated 54 times > Oct =A07 16:05:24 phoenix last message repeated 345 times > Oct =A07 16:15:26 phoenix last message repeated 1135 times > Oct =A07 16:15:33 phoenix last message repeated 8 times > > So yes, we entered on ipfw code now, and executed only the instruction > before we "break". > > The curious thing is that the counter did not count now with both: > > 00001 =A0 =A0 0 =A0 =A0 =A0 0 fwd 127.0.0.1,80 tcp from any to not me dst= -port 80 layer2 > 00001 =A0 =A0 0 =A0 =A0 =A0 0 fwd 127.0.0.1,80 tcp from any to not me dst= -port 80 > > How can I move forth? Hello, I am glad to tell you that some helped me out and we made it work. In fact two friends called Luiz Otavio (he has helped on IP_BINDANY before, on lusca's tproxy support) and Patrick Tracanelli sorted out the missing piece of code and shown up with this patch: Index: netinet/ipfw/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- netinet/ipfw/ip_fw2.c (revision 213573) +++ netinet/ipfw/ip_fw2.c (working copy) @@ -2059,8 +2059,10 @@ break; case O_FORWARD_IP: +#if 0 if (args->eh) /* not valid on layer2 pkts */ break; +#endif if (!q || dyn_dir =3D=3D MATCH_FORWARD) { struct sockaddr_in *sa; sa =3D &(((ipfw_insn_sa *)cmd)->sa); Index: net/if_bridge.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- net/if_bridge.c (revision 213573) +++ net/if_bridge.c (working copy) @@ -79,6 +79,7 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipfw.h" #include <sys/param.h> #include <sys/mbuf.h> @@ -2951,14 +2952,18 @@ static int bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int d= ir) { - int snap, error, i, hlen; + int snap, error, i, is_ip, hlen; struct ether_header *eh1, eh2; struct ip_fw_args args; struct ip *ip; struct llc llc1; u_int16_t ether_type; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif snap =3D 0; + is_ip =3D 0; error =3D -1; /* Default error if not error =3D=3D 0 */ #if 0 @@ -3016,6 +3021,7 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip =3D 1; break; default: /* @@ -3091,6 +3097,46 @@ if (*mp =3D=3D NULL) return (error); +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + if (i =3D=3D 0 && args.next_hop !=3D NULL && is_ip) { + + fwd_tag =3D m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT); + if (fwd_tag =3D=3D NULL) + return (error); + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop->sin_addr)) + (*mp)->m_flags |=3D M_FASTFWD_OURS; + + /* + * Put everything back the way it was and reinject the + * packet. + */ + if (snap) { + M_PREPEND(*mp, sizeof(struct llc), M_DONTWAIT); + if (*mp =3D=3D NULL) + return (error); + bcopy(&llc1, mtod(*mp, caddr_t), + sizeof(struct llc)); + } + + M_PREPEND(*mp, ETHER_HDR_LEN, M_DONTWAIT); + if (*mp =3D=3D NULL) + return (error); + bcopy(&eh2, mtod(*mp, caddr_t), ETHER_HDR_LEN); + + ether_demux(ifp, *mp); + return (error); + } +#endif + if (ip_dn_io_ptr && (i =3D=3D IP_FW_DUMMYNET)) { /* put the Ethernet header back on */ Luiz has added it to: http://loos.no-ip.org:280/lusca_bridge.diff I have tested and it works pretty well. I hope someone can add it to -HEAD, so we won't loose it again. With time, ipfw code changes and such great patches like Rizzo's and Julian's stop working one day. It's bad we miss such great functionality. Thank you again everyone envolved. Adrian / Luiz / Julian, With this patch fwd does it's job on L2, ordinary proxy works like a charm. But TPROXY won't work. It would be perfect to have both features together. If you can suggest any further tests or changes I will be pleased to test. Thanks. --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=syThdw-%2B%2BKAbVdJLGrh2JEFUJi5ztKs9cxWFE>