From owner-freebsd-ipfw@freebsd.org Tue Jul 31 00:01:49 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBA17106500C for ; Tue, 31 Jul 2018 00:01:48 +0000 (UTC) (envelope-from puneet_kumar_kumar@yahoo.com) Received: from sonic307-24.consmr.mail.sg3.yahoo.com (sonic307-24.consmr.mail.sg3.yahoo.com [106.10.241.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 056858BDF3 for ; Tue, 31 Jul 2018 00:01:47 +0000 (UTC) (envelope-from puneet_kumar_kumar@yahoo.com) X-YMail-OSG: sBpwTI0VM1l_o7pAMHMn6HurKBPNosIBTbmDUR5zqMJDzTBhyTuKzUsBIcRTZuj uyNsdWCewhGD9frc1dvVsKB.s6bWtOOwPrTF_gSCPoo6h.G.wWXjzpnPIIAjmQ2mSd6y5Gc_kCBi 217L1UXc40W7C87IUObI1BMbeOaF1Erz33Vs.YqYd5dW.wmML4qIqED_JEwKc8Ds3GAGHNXhYhSU B8lmqAc4A6wmZQSjsRXzHMt5G_35fLYO1v_Tgeuo8Ugf9.9hF8XfBUHtlBetJcZeA60YXqQ4dJG4 s.SZiDK7CsGQBzPmlGkSSj5yBImQoALy.AMoTbLniaw3N.NLgb2pakV82zmEMeyDsmXJ2Sj2K6aK hmTSkOb5RGXlEQDJhiDA1gS1pLID484JOVMwf.vtonRICfEhn1EKd0XISdr3xcGl7z2TKjCNyLO5 JoWyvURwIr_OnuSoFqlvh8P0HUgaEZB8RmwufmvTyCWGWr0f50wlIpmdh3Utm5FPg2vsWicaOAj1 YPBA_ePbWh.g2RbzylMFjoTZFsr90hHb8kl4i22BrzgzprelMoG3zBd8j5BVKeUuuNHiZ2ukDz7T KZiXjJClUjgO0JEnxsIgXsXo2vNykgLFqcHfrXRD0jFWDDA4U9DW4h6OgET.dNelS9yyjsCYMPPE WGQ6p3FDsOsZh1Y5_wrEy1uUXPUW4zDFC303a36BQaPTn8kJArZ7ZOGAIII6kx9C7EpFBJqU1gIc Ey9GWbVcfaOVnNqasvyn9gdMFUfs.sr4dW5xmlmplnIFwvq2EIceNtPrj2Bv6f8xi9L1Ay2ZJIQc YHr7wmNOCsQKX9nNkpbK_PitfAFSgIhCpazaY3XnCdiDfxLUSop9KotyHuiqYma5jzJ2zieyMOKz CD7TakbjBapfXNOxmu9x_gGuQvJvWeyfWXfCUaqra.457wizRB0x8LwLA.7UdULJepvDd5Gh4AAW mG06tWAJ.qsK_7QHeKCUxvF_lIgJrGugmZcCAN1HSaye6YFoERrjrw4BlyYZCBqEgIzXzUTNB0A- - Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.sg3.yahoo.com with HTTP; Tue, 31 Jul 2018 00:01:38 +0000 Date: Tue, 31 Jul 2018 00:01:36 +0000 (UTC) From: puneet_kumar kumar Reply-To: puneet_kumar kumar To: "freebsd-ipfw@freebsd.org" Message-ID: <1049085198.4031143.1532995296350@mail.yahoo.com> Subject: Source IP NAT MIME-Version: 1.0 References: <1049085198.4031143.1532995296350.ref@mail.yahoo.com> X-Mailer: WebService/1.1.12144 YahooMailNeo Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jul 2018 00:01:49 -0000 Hi, I am trying to change the IP of a TCP packet coming from client and send it= to a server.=C2=A0 Client ----->freebsd box --> Server. Let's say packet c= oming out from client has source IP: 1.1.1.1 and dst IP: 1.1.1.10, I am cha= nging the IP of that packet to 1.1.1.100 in ether_input function. Reason be= hind changing it in ether_input is to do this NAT prior to hit any IPFW rul= e.=C2=A0 Problem is that packet is not been seen on server. I did check the code pat= h taken without changing ip and with changing ip all the way to ipfw code a= nd it looks like it is not dropping there. I am also recalculating the ip c= hecksum so this cant be an issue either. Can someone suggest me what I am d= oing wrong? Puneet From owner-freebsd-ipfw@freebsd.org Wed Aug 1 08:48:47 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BAAC1062E31 for ; Wed, 1 Aug 2018 08:48:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F9018963E for ; Wed, 1 Aug 2018 08:48:46 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (124-169-199-167.dyn.iinet.net.au [124.169.199.167]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w718mfGs026320 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 1 Aug 2018 01:48:44 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: Source IP NAT To: puneet_kumar kumar , "freebsd-ipfw@freebsd.org" References: <1049085198.4031143.1532995296350.ref@mail.yahoo.com> <1049085198.4031143.1532995296350@mail.yahoo.com> From: Julian Elischer Message-ID: <76058b2c-7283-1c1b-35a0-1d4342ea9219@freebsd.org> Date: Wed, 1 Aug 2018 16:48:35 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1049085198.4031143.1532995296350@mail.yahoo.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2018 08:48:47 -0000 On 31/7/18 8:01 am, puneet_kumar kumar via freebsd-ipfw wrote: > Hi, > I am trying to change the IP of a TCP packet coming from client and send it to a server.  Client ----->freebsd box --> Server. Let's say packet coming out from client has source IP: 1.1.1.1 and dst IP: 1.1.1.10, I am changing the IP of that packet to 1.1.1.100 in ether_input function. Reason behind changing it in ether_input is to do this NAT prior to hit any IPFW rule. > Problem is that packet is not been seen on server. I did check the code path taken without changing ip and with changing ip all the way to ipfw code and it looks like it is not dropping there. I am also recalculating the ip checksum so this cant be an issue either. Can someone suggest me what I am doing wrong? > Puneet > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > well  you have several possibilties.. ipfw can act in ether_input() and you can give it a different set of rules to run there so that it doesn't interfere with regular ipfw processing in ip. Alternatively you could use netgraph to get the packets our and pass them to natd though that may take a small amount of coding.