Date: Wed, 3 Jan 2007 11:00:51 GMT From: Paolo Pisati <piso@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 112448 for review Message-ID: <200701031100.l03B0pmG035219@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=112448 Change 112448 by piso@piso_newluxor on 2007/01/03 11:00:42 Wrap the ipfw nat support in a new kernel config option named "IPFIREWALL_NAT". Affected files ... .. //depot/projects/soc2005/libalias/sys/conf/NOTES#16 edit .. //depot/projects/soc2005/libalias/sys/conf/options#15 edit .. //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#36 edit Differences ... ==== //depot/projects/soc2005/libalias/sys/conf/NOTES#16 (text+ko) ==== @@ -835,6 +835,10 @@ # packets too. Because of this great care is required when # crafting the ruleset. # +# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires +# LIBALIAS. To build an ipfw kld with nat support enabled, add +# "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf. +# # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. @@ -850,6 +854,7 @@ options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes +options IPFIREWALL_NAT #ipfw kernel nat support options IPDIVERT #divert sockets options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging ==== //depot/projects/soc2005/libalias/sys/conf/options#15 (text+ko) ==== @@ -373,6 +373,7 @@ IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h +IPFIREWALL_NAT opt_ipfw.h IPSTEALTH IPX IPXIP opt_ipx.h ==== //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#36 (text+ko) ==== @@ -84,9 +84,10 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> #include <netinet/sctp.h> - +#ifdef IPFIREWALL_NAT #include <netinet/libalias/alias.h> #include <netinet/libalias/alias_local.h> +#endif #include <netgraph/ng_ipfw.h> #include <altq/if_altq.h> @@ -307,7 +308,9 @@ #endif /* INET6 */ #endif /* SYSCTL_NODE */ +#ifdef IPFIREWALL_NAT MODULE_DEPEND(ipfw, libalias, 1, 1, 1); +#endif static int fw_deny_unknown_exthdrs = 1; @@ -2036,6 +2039,7 @@ return match; } +#ifdef IPFIREWALL_NAT static eventhandler_tag ifaddr_event_tag; static void @@ -2207,6 +2211,7 @@ /* something really bad happened: panic! */ panic("%s\n", panic_err); } +#endif /* * The main check routine for the firewall. @@ -3437,6 +3442,7 @@ IP_FW_NETGRAPH : IP_FW_NGTEE; goto done; +#ifdef IPFIREWALL_NAT case O_NAT: { struct cfg_nat *t; struct mbuf *mcl; @@ -3607,6 +3613,7 @@ retval = IP_FW_NAT; goto done; } +#endif default: panic("-- unknown opcode %d\n", cmd->opcode); @@ -4556,6 +4563,7 @@ } break; +#ifdef IPFIREWALL_NAT case IP_FW_NAT_CFG: { struct cfg_nat *ptr, *ser_n; @@ -4734,6 +4742,7 @@ free(data, M_IPFW); } break; +#endif default: printf("ipfw: ipfw_ctl invalid option %d\n", sopt->sopt_name); @@ -4907,9 +4916,11 @@ ip_fw_ctl_ptr = ipfw_ctl; ip_fw_chk_ptr = ipfw_chk; callout_reset(&ipfw_timeout, hz, ipfw_tick, NULL); +#ifdef IPFIREWALL_NAT LIST_INIT(&layer3_chain.nat); ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change, NULL, EVENTHANDLER_PRI_ANY); +#endif return (0); } @@ -4917,13 +4928,16 @@ ipfw_destroy(void) { struct ip_fw *reap; +#ifdef IPFIREWALL_NAT struct cfg_nat *ptr, *ptr_temp; +#endif ip_fw_chk_ptr = NULL; ip_fw_ctl_ptr = NULL; callout_drain(&ipfw_timeout); IPFW_WLOCK(&layer3_chain); flush_tables(&layer3_chain); +#ifdef IPFIREWALL_NAT LIST_FOREACH_SAFE(ptr, &layer3_chain.nat, _next, ptr_temp) { LIST_REMOVE(ptr, _next); del_redir_spool_cfg(ptr, &ptr->redir_chain); @@ -4931,6 +4945,7 @@ free(ptr, M_IPFW); } EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag); +#endif layer3_chain.reap = NULL; free_chain(&layer3_chain, 1 /* kill default rule */); reap = layer3_chain.reap, layer3_chain.reap = NULL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701031100.l03B0pmG035219>