Date: Fri, 9 Oct 2009 21:37:22 +0200 From: Jacques Fourie <jacques.fourie@gmail.com> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org Subject: Re: Route re-calculation in ip_output() Message-ID: <be2f52430910091237l52d15ae3jbaf1470cd4f5b5e9@mail.gmail.com> In-Reply-To: <4ACF5DA5.6060806@elischer.org> References: <be2f52430910090146m78db28fbnd57362ab658e0278@mail.gmail.com> <4ACF5DA5.6060806@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 9, 2009 at 5:58 PM, Julian Elischer <julian@elischer.org> wrote=
:
> Jacques Fourie wrote:
>>
>> Hi,
>>
>> I've noticed what I believe to be a bug in ip_output(). The piece of
>> code in question is when the firewall changes the destination address
>> of an outgoing packet and the subsequent re-calculation of the route.
>> The issue should be clear from the attached diff - basically what
>> happens is that for the second route lookup dst can point to
>> ro->ro_rt->rt_gateway instead of &ro->ro_dst. It seems as if this
>> issue is present on 7,8 and 9?
>
> Is this a problem?
> generally, the aim of a fwd firewall rule is to set the next hop
> (gateway). so this may be what is required..
>
>
>>
>> --- ip_output.c 2009-10-09 10:37:40.537408240 +0200
>> +++ /home/jacques/ip_output.c =A0 2009-10-09 10:43:46.232819440 +0200
>> @@ -521,8 +521,10 @@
>> =A0#endif
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0error =3D netisr_queue(NE=
TISR_IP, m);
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto done;
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 } else
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 } else {
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 dst =3D (struct sockaddr_i=
n *)&ro->ro_dst;
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto again; =A0 =A0 /* Re=
do the routing table lookup.
>> */
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 }
>>
>>
>> Regards,
>> Jacques
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
If I understand everything correctly the handling of fwd rules seem to
do exactly what I propose in the patch. See the code starting with 'if
(fwd_tag) {' in ip_output.c?
As far as I understand it fwd rules do not change the destination IP
address in the mbuf so the patch will not affect the handling of fwd
rules.
Jacques
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?be2f52430910091237l52d15ae3jbaf1470cd4f5b5e9>