Date: Mon, 02 Feb 2015 22:36:12 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: freebsd-ipfw@freebsd.org Subject: Re: How to configure nat for interface which will be created later? Message-ID: <54CFD1AC.6040503@FreeBSD.org> In-Reply-To: <54CFBFB9.9040801@FreeBSD.org> References: <54CFBDF7.30301@FreeBSD.org> <54CFBFB9.9040801@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02.02.2015 21:19, Lev Serebryakov wrote: >> It is possible to use non-existing interface name in via / xmit / >> recv option. It allows to write firewall which works with, say, >> VPN connection which is created AFTER firewall is loaded on >> boot. > >> But "nat X config if <iface>" doesn't allow to use non-existing >> interface name! It looks like very strict limitation, as it >> doesn't allow to include VPN to nat config! > >> Is here any solution for this problem? > Looking at "sbin/ipfw/nat.c:166" and > "sys/netpfil/ipfw/ip_fw_nat.c", it looks like this userland check > is too restrictive. > > But I'm not sure, that I'm right... To be honest, I don't understand code in sbin/ipfw/nat.c:80 (function set_addr_dynamic()) at all! First of all, it enumerates though interface list to find interface and store it index to "ifIndex" and MTU to "ifMTU" variables. After that, it continues to enumerate SAME data structure to find address. But "ifIndex" and "ifMTU" are never used again! - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUz9GsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePdF0QALinIRoUkZ1uUAiAUAbLHaGe JB6rKraVUt3ps37mUgiWFD6YaiVDA+lTgPpm85aRtc21b+I7CAPCu6urZqhlZtRc DMO/JCPLa6EPx2o2TA6UhCJ5AKHtmRb50V6KhhDXrR1NaZCQ+a5PZZY9D/MhHYa2 O/F8fFXr+9MHeocQ2ZjYvImjIVTM/nSGRLleq0M539I6Vsa/Eblw2fe/8ugSmTjB eKFuzxXM37QAcpj6exhuRIOxQy8Rp9WVCsm+j6RaMd3L5AjUNd+EP4Cjz3z9YlEx R2uJWlXwfxKo4wkCBC65R+IuHiRoQOr6COERKijmReAEBZ9w9CkpTbZ1Jv9Ri/bq WcanR8o+GO30QKXO1gLckTdikeDKLxsIfuf1CAgJivf9HSV8UzKy6ktdEF7rWP3d WoBmzpsoGpdzNhgCW2Px1J4ZXzM2mfzxxJCulFYfrapCC3G+fQ42ZmU5QXE9w6LZ xdMB5MivxSjxrnrFRAheG0BCaIJhR9FwT1HKulO/cxBZ21lcoe+aBwhOOr3GRC3u 70g2VX5Ey6V7PFWNsglaFKStQdAgavUqfGLBaMmnvqTT3jljPzdkQQrP7eBdwuVL sW8JgA2ksh/lHHIm0NYc1yMIYxrW+yB7tsVLtygTn+K0aQMXPTMB70Z05TWlCb2H tgGvKYbyYcm8X213znx/ =q9nY -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54CFD1AC.6040503>