Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 May 2006 10:27:31 +0300
From:      =?ISO-8859-9?Q?=D6zkan_KIRIK?= <ozkan@mersin.edu.tr>
To:        freebsd-net@freebsd.org
Subject:   Re: ipfw divert with layer2 (if_bridge) packets
Message-ID:  <446195E3.8080903@mersin.edu.tr>
In-Reply-To: <20060509231457.B67417@xorpc.icir.org>
References:  <4460FF4E.10305@ifi.unicamp.br> <44610333.6070806@elischer.org>	<4461830E.8070207@yandex.ru> <20060509231457.B67417@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
hi,

i have a question about these similar problems with bridging.

i use if_bridge on a FreeBSD 6.1 Box.
ipfw doesn't support fwd rules via bridge. So that i had to use pf for
transparent proxying.
but pf doesnt work like fwd. pf makes nat (rdr) on packets, so that
proxy software can't find the original destination address.

Once up on a time, someone wrote a patch for FreeBSD 4.x, to make fwd
action work with Bridge.
What about if_bridge? does that patch works on FreeBSD 6.X? If not, can
it be ported to 6.x?
i think fwd action likes abit to divert action. If divert action works,
i think fwd could be work.

what you think about this subject?

yours sincerely
Ozkan KIRIK

Luigi Rizzo yazmış:

>On Wed, May 10, 2006 at 10:07:10AM +0400, Andrey V. Elsukov wrote:
>  
>
>>Julian Elischer wrote:
>>    
>>
>>>I have changes that make it work in 4.x but they will not apply to 5.x 
>>>or later..
>>>Luigi also has some changes that allow it..
>>>      
>>>
>>I can try porting an older patches which allow this.
>>Is there a chance for including this feature into base system?
>>    
>>
>
>sorry if i missed the earlier part of the thread...
>
>the earlier patches i posted (for 4.x) had a race problem because L2
>packets would be processed with the wrong spl mask leading to
>possible corruption in the socket buffer.
>A fix for that involves sending divert packets to the ipintrq
>so they could be reprocessed with the correct masks.
>
>Probably 6.x does not have the same problem as the locking there
>is different. So in that case it might just be a case of adapting
>the patch to compile.
>	
>	cheers
>	luigi
>_______________________________________________
>freebsd-net@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>  
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?446195E3.8080903>