Date: Tue, 5 Oct 2010 16:56:58 -0300 From: Eduardo Meyer <dudu.meyer@gmail.com> To: Julian Elischer <julian@freebsd.org> Cc: Brandon Gooch <jamesbrandongooch@gmail.com>, ipfw@freebsd.org, Adrian Chadd <adrian@ucc.gu.uwa.edu.au> Subject: Re: layer2 ipfw 'fwd' support Message-ID: <AANLkTikAd_fke1HfMgRy3h4fXpo7_DcX3E4%2BTu__3my8@mail.gmail.com> In-Reply-To: <4CAA45CC.8020304@freebsd.org> References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com> <AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com> <AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com> <4CAA1E7B.1020107@freebsd.org> <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B@mail.gmail.com> <4CAA45CC.8020304@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer <julian@freebsd.org> wrote: > =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >> >> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer<julian@freebsd.org> >> =A0wrote: >>> >>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>> >>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>> <jamesbrandongooch@gmail.com> =A0 =A0wrote: >>>>> >>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<dudu.meyer@gmail.com> >>>>> =A0wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> In the past I have used this patch by Luigi Rizzo, which helped me >>>>>> well. >>>>>> >>>>>> >>>>>> >>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/00052= 6.html >>>>>> >>>>>> I tried with a friend to port it to -STABLE, but we were not able to >>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacke= d >>>>>> to following piece of code: >>>>>> >>>>>> #ifdef IPFIREWALL_FORWARD >>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0M_FASTFWD_OURS) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD= WE MODIFY IT HERE >>>>>> */ >>>>>> =A0 =A0 =A0 =A0} >>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NU= LL) !=3D >>>>>> NULL)) >>>>>> !=3D 0) { >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0Th= is allows forwarding >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us = to some other >>>>>> directly >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>> =A0 =A0 =A0 =A0} >>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>> >>>>>> And this is something we are not sure if its correct. >>>>>> >>>>>> So my very obvious question is: >>>>>> >>>>>> Does anyone has a recent version of this patch to share? >>>>>> >>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>> >>>>> I'm certainly not an expert, but I wonder if the patch your referring >>>>> to is still required? Can you provide more detail about your >>>>> particular application? >>>>> >>>>> -Brandon >>>> >>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>> >>>> The application is the very same: squid. I mean, Lusca in fact (squid >>>> fork). >>>> >>>> Thank you for your interest. >>> >>> Cisco/Ironport have a patch that does this.. >>> I had permission to bring it back when I worked there but never got it >>> committed. >>> >>> Adrian, was it part of the set I gave you? >> >> Hello Elischer, >> >> Was this made public? >> >> I hope Chadd has some good news. In fact I tent to use with Lusca in >> tproxy mode. I bet this is the only missing piece of software. >> > > I just dug up my old changes. > do you want to fwd from a bridge? or what? > (it makes a difference what patches are needed) > > If you want to fwd from a bridge to make a transparent layer 2 proxy, thi= s > may help.. > > > Here are parts of it that may be relevent: > these are old (2007 I think) but may be of use still. > > adrian had the full set at > > =3D=3Dquote adrian=3D=3D=3D=3D=3D > =A0The stuff is in p4 now, but I haven't tested it out at all. > > =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. > =3D=3D end quote=3D=3D=3D > > > > > Index: net/if_bridge.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v > retrieving revision 1.107 > diff -u -r1.107 if_bridge.c > --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.107 > +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 > @@ -2908,6 +2908,11 @@ > =A0 =A0 =A0 =A0struct ip *ip; > =A0 =A0 =A0 =A0struct llc llc1; > =A0 =A0 =A0 =A0u_int16_t ether_type; > + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; > +#ifdef IPFIREWALL_FORWARD > + =A0 =A0 =A0 struct m_tag *fwd_tag; > +#endif > + > > =A0 =A0 =A0 =A0snap =3D 0; > =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error =3D=3D= 0 */ > @@ -2967,6 +2972,7 @@ > =A0#ifdef INET6 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: > =A0#endif /* INET6 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > @@ -3024,6 +3030,30 @@ > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); > + > +#ifdef IPFIREWALL_FORWARD > + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it somew= here? > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0args.next_hop !=3D NULL&= & > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0src !=3D NULL= */) { > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACKET= _TAG_IPFORWARD, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0sizeof(struct sockaddr_in), > M_NOWAIT); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_ta= g+1), > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(stru= ct sockaddr_in)); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag); > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_hop= ->sin_addr)) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_fla= gs |=3D M_FASTFWD_OURS; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0} > +#endif > + > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0(i =3D=3D IP_FW_D= UMMYNET)) { > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Index: netinet/ip_fw2.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v > retrieving revision 1.178 > diff -u -r1.178 ip_fw2.c > --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.178 > +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 > > @@ -3446,8 +3507,10 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct soc= kaddr_in *sa; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa =3D&(((= ipfw_insn_sa *)cmd)->sa); > +#if 0 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (args->= eh) =A0 /* not valid on layer2 pkts > */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0break; > +#endif > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!q || = dyn_dir =3D=3D MATCH_FORWARD) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0if (sa->sin_addr.s_addr =3D=3D > INADDR_ANY) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0bcopy(sa,&args->hopstore, > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Index: netinet/ip_output.c Dear Julian, Is anything missing from the above code? Say, like ip_output stuff? I have tried what you sent me, compiled fine but did not work. Here is my only rule (I have tried both with and without layer2 on the rule= ): 00001 36 4338 fwd 127.0.0.1,80 tcp from any to not me dst-port 80 layer2 65535 32842101 2107060460 allow ip from any to any Here are the sysctl tunables: net.link.bridge.ipfw: 1 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.pfil_bridge: 1 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 0 net.link.ether.inet.log_arp_permanent_modify: 1 net.link.ether.inet.log_arp_movements: 1 net.link.ether.inet.log_arp_wrong_iface: 1 net.link.ether.inet.proxyall: 0 net.link.ether.inet.useloopback: 1 net.link.ether.inet.maxtries: 5 net.link.ether.inet.max_age: 1200 net.link.ether.ipfw: 1 And my bridge: bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu = 1500 ether 16:52:8e:91:2f:45 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vr0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 5 priority 128 path cost 200000 member: sis0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1 priority 128 path cost 200000 The ipfw counter gets increased by nothing hits by Apache. Instead I go to Internet directly. sis0 is on internet, vr0 is cross-over to the laptop (customer). How should I debug it? --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikAd_fke1HfMgRy3h4fXpo7_DcX3E4%2BTu__3my8>