Date: Tue, 31 Jul 2018 00:01:36 +0000 (UTC) From: puneet_kumar kumar <puneet_kumar_kumar@yahoo.com> To: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Source IP NAT Message-ID: <1049085198.4031143.1532995296350@mail.yahoo.com> References: <1049085198.4031143.1532995296350.ref@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I am trying to change the IP of a TCP packet coming from client and send it= to a server.=C2=A0 Client ----->freebsd box --> Server. Let's say packet c= oming out from client has source IP: 1.1.1.1 and dst IP: 1.1.1.10, I am cha= nging the IP of that packet to 1.1.1.100 in ether_input function. Reason be= hind changing it in ether_input is to do this NAT prior to hit any IPFW rul= e.=C2=A0 Problem is that packet is not been seen on server. I did check the code pat= h taken without changing ip and with changing ip all the way to ipfw code a= nd it looks like it is not dropping there. I am also recalculating the ip c= hecksum so this cant be an issue either. Can someone suggest me what I am d= oing wrong? Puneet From owner-freebsd-ipfw@freebsd.org Wed Aug 1 08:48:47 2018 Return-Path: <owner-freebsd-ipfw@freebsd.org> Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BAAC1062E31 for <freebsd-ipfw@mailman.ysv.freebsd.org>; Wed, 1 Aug 2018 08:48:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F9018963E for <freebsd-ipfw@freebsd.org>; Wed, 1 Aug 2018 08:48:46 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (124-169-199-167.dyn.iinet.net.au [124.169.199.167]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w718mfGs026320 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 1 Aug 2018 01:48:44 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: Source IP NAT To: puneet_kumar kumar <puneet_kumar_kumar@yahoo.com>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> References: <1049085198.4031143.1532995296350.ref@mail.yahoo.com> <1049085198.4031143.1532995296350@mail.yahoo.com> From: Julian Elischer <julian@freebsd.org> Message-ID: <76058b2c-7283-1c1b-35a0-1d4342ea9219@freebsd.org> Date: Wed, 1 Aug 2018 16:48:35 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1049085198.4031143.1532995296350@mail.yahoo.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>; List-Post: <mailto:freebsd-ipfw@freebsd.org> List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 01 Aug 2018 08:48:47 -0000 On 31/7/18 8:01 am, puneet_kumar kumar via freebsd-ipfw wrote: > Hi, > I am trying to change the IP of a TCP packet coming from client and send it to a server. Client ----->freebsd box --> Server. Let's say packet coming out from client has source IP: 1.1.1.1 and dst IP: 1.1.1.10, I am changing the IP of that packet to 1.1.1.100 in ether_input function. Reason behind changing it in ether_input is to do this NAT prior to hit any IPFW rule. > Problem is that packet is not been seen on server. I did check the code path taken without changing ip and with changing ip all the way to ipfw code and it looks like it is not dropping there. I am also recalculating the ip checksum so this cant be an issue either. Can someone suggest me what I am doing wrong? > Puneet > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > well you have several possibilties.. ipfw can act in ether_input() and you can give it a different set of rules to run there so that it doesn't interfere with regular ipfw processing in ip. Alternatively you could use netgraph to get the packets our and pass them to natd though that may take a small amount of coding.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1049085198.4031143.1532995296350>