From owner-p4-projects@FreeBSD.ORG Wed Jan 3 11:00:55 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0035F16A412; Wed, 3 Jan 2007 11:00:54 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9FD0816A40F for ; Wed, 3 Jan 2007 11:00:54 +0000 (UTC) (envelope-from piso@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 8FDEE13C442 for ; Wed, 3 Jan 2007 11:00:54 +0000 (UTC) (envelope-from piso@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l03B0qhs035223 for ; Wed, 3 Jan 2007 11:00:52 GMT (envelope-from piso@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l03B0pmG035219 for perforce@freebsd.org; Wed, 3 Jan 2007 11:00:51 GMT (envelope-from piso@freebsd.org) Date: Wed, 3 Jan 2007 11:00:51 GMT Message-Id: <200701031100.l03B0pmG035219@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to piso@freebsd.org using -f From: Paolo Pisati To: Perforce Change Reviews Cc: Subject: PERFORCE change 112448 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2007 11:00:55 -0000 http://perforce.freebsd.org/chv.cgi?CH=112448 Change 112448 by piso@piso_newluxor on 2007/01/03 11:00:42 Wrap the ipfw nat support in a new kernel config option named "IPFIREWALL_NAT". Affected files ... .. //depot/projects/soc2005/libalias/sys/conf/NOTES#16 edit .. //depot/projects/soc2005/libalias/sys/conf/options#15 edit .. //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#36 edit Differences ... ==== //depot/projects/soc2005/libalias/sys/conf/NOTES#16 (text+ko) ==== @@ -835,6 +835,10 @@ # packets too. Because of this great care is required when # crafting the ruleset. # +# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires +# LIBALIAS. To build an ipfw kld with nat support enabled, add +# "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf. +# # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. @@ -850,6 +854,7 @@ options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes +options IPFIREWALL_NAT #ipfw kernel nat support options IPDIVERT #divert sockets options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging ==== //depot/projects/soc2005/libalias/sys/conf/options#15 (text+ko) ==== @@ -373,6 +373,7 @@ IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h +IPFIREWALL_NAT opt_ipfw.h IPSTEALTH IPX IPXIP opt_ipx.h ==== //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#36 (text+ko) ==== @@ -84,9 +84,10 @@ #include #include #include - +#ifdef IPFIREWALL_NAT #include #include +#endif #include #include @@ -307,7 +308,9 @@ #endif /* INET6 */ #endif /* SYSCTL_NODE */ +#ifdef IPFIREWALL_NAT MODULE_DEPEND(ipfw, libalias, 1, 1, 1); +#endif static int fw_deny_unknown_exthdrs = 1; @@ -2036,6 +2039,7 @@ return match; } +#ifdef IPFIREWALL_NAT static eventhandler_tag ifaddr_event_tag; static void @@ -2207,6 +2211,7 @@ /* something really bad happened: panic! */ panic("%s\n", panic_err); } +#endif /* * The main check routine for the firewall. @@ -3437,6 +3442,7 @@ IP_FW_NETGRAPH : IP_FW_NGTEE; goto done; +#ifdef IPFIREWALL_NAT case O_NAT: { struct cfg_nat *t; struct mbuf *mcl; @@ -3607,6 +3613,7 @@ retval = IP_FW_NAT; goto done; } +#endif default: panic("-- unknown opcode %d\n", cmd->opcode); @@ -4556,6 +4563,7 @@ } break; +#ifdef IPFIREWALL_NAT case IP_FW_NAT_CFG: { struct cfg_nat *ptr, *ser_n; @@ -4734,6 +4742,7 @@ free(data, M_IPFW); } break; +#endif default: printf("ipfw: ipfw_ctl invalid option %d\n", sopt->sopt_name); @@ -4907,9 +4916,11 @@ ip_fw_ctl_ptr = ipfw_ctl; ip_fw_chk_ptr = ipfw_chk; callout_reset(&ipfw_timeout, hz, ipfw_tick, NULL); +#ifdef IPFIREWALL_NAT LIST_INIT(&layer3_chain.nat); ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change, NULL, EVENTHANDLER_PRI_ANY); +#endif return (0); } @@ -4917,13 +4928,16 @@ ipfw_destroy(void) { struct ip_fw *reap; +#ifdef IPFIREWALL_NAT struct cfg_nat *ptr, *ptr_temp; +#endif ip_fw_chk_ptr = NULL; ip_fw_ctl_ptr = NULL; callout_drain(&ipfw_timeout); IPFW_WLOCK(&layer3_chain); flush_tables(&layer3_chain); +#ifdef IPFIREWALL_NAT LIST_FOREACH_SAFE(ptr, &layer3_chain.nat, _next, ptr_temp) { LIST_REMOVE(ptr, _next); del_redir_spool_cfg(ptr, &ptr->redir_chain); @@ -4931,6 +4945,7 @@ free(ptr, M_IPFW); } EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag); +#endif layer3_chain.reap = NULL; free_chain(&layer3_chain, 1 /* kill default rule */); reap = layer3_chain.reap, layer3_chain.reap = NULL;