From owner-p4-projects@FreeBSD.ORG Wed Jan 9 03:58:21 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 12D9316A46E; Wed, 9 Jan 2008 03:58:21 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9BF516A420 for ; Wed, 9 Jan 2008 03:58:20 +0000 (UTC) (envelope-from qingli@speakeasy.net) Received: from mail5.sea5.speakeasy.net (mail5.sea5.speakeasy.net [69.17.117.7]) by mx1.freebsd.org (Postfix) with ESMTP id 92B6B13C45A for ; Wed, 9 Jan 2008 03:58:20 +0000 (UTC) (envelope-from qingli@speakeasy.net) Received: (qmail 21439 invoked from network); 9 Jan 2008 03:31:38 -0000 Received: from dsl081-051-141.sfo1.dsl.speakeasy.net (HELO SAINTS) (qingli@[64.81.51.141]) (envelope-sender ) by mail5.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 9 Jan 2008 03:31:38 -0000 From: "Qing Li" To: "'Andre Oppermann'" , "'Adrian Chadd'" References: <200801071418.m07EIwNn036146@repoman.freebsd.org> <4782A21C.2060504@freebsd.org> <4783F57F.7010201@freebsd.org> Date: Tue, 8 Jan 2008 19:31:42 -0800 Message-ID: <001501c85270$271f8110$8d335140@SAINTS> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <4783F57F.7010201@freebsd.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Thread-Index: AchSQ6x5U8mfk1jERneFv+uUpCwjMAAK4PIg Cc: 'Perforce Change Reviews' Subject: RE: PERFORCE change 132710 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2008 03:58:21 -0000 > -----Original Message----- > From: Andre Oppermann [mailto:andre@freebsd.org] > Sent: Tuesday, January 08, 2008 2:13 PM > To: Adrian Chadd > Cc: Perforce Change Reviews > Subject: Re: PERFORCE change 132710 for review > > Adrian Chadd wrote: > > On 08/01/2008, Andre Oppermann wrote: > > > >> Reinventing the wheel? Have a look at IPFIREWALL_FORWARD which > >> supports transparent proxying as well. > > > > Yes, but redirects it to a local listen() socket, > effectively spoofing > > the destination IP. The client (ie, the computer making the > connect()) > > thinks its talking to the original destination. > > > > This is meant to implement the other end - spoofing the local IP on > > sockets that you connect() to, spoofing the local IP and not the > > destination IP. This is intended to let a FreeBSD box (with > relevant > > symmetrical routing) pretend to be a client on a connect() > to a remote server. > > "with symmetrical routing" I assume you are referring to in-line deployment ... > > If this can be done within pf/ipfw right now then please > let me know. > > :) > > The IPFIREWALL_FORWARD functionality should be able to do > that as well. Yup. :) You could actually IPFIREWALL_FORWARD to 127.0.0.1 as long as you have updated in_pcb.c to allow for spoofed socket. > > The direction of the spoof capture doesn't > really matter as long as you reverse the rule from the > traditional transparent proxy example. > I don't quite understand what you mean here, but the directionality really do matter if you don't want to leak packets from a guard policy (well, more accurately how many packets that are allowed to leak). > > The only missing > piece is binding a local socket to a non- local IP address. > That you have to address in netinet/in_pcb.c either with > global sysctl or a individual socket option. Should only > take a dozen lines or less to do that (including the sysctl > or socket option code). > Yup. That's the key piece here. -- Qing > -- > Andre > > >