From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 2 19:36:55 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26798956 for ; Mon, 2 Feb 2015 19:36:55 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id DB0618AC for ; Mon, 2 Feb 2015 19:36:54 +0000 (UTC) Received: from [127.0.0.1] (nat.in.devexperts.com [89.113.128.63]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 0ABA45C003 for ; Mon, 2 Feb 2015 22:36:13 +0300 (MSK) Message-ID: <54CFD1AC.6040503@FreeBSD.org> Date: Mon, 02 Feb 2015 22:36:12 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Re: How to configure nat for interface which will be created later? References: <54CFBDF7.30301@FreeBSD.org> <54CFBFB9.9040801@FreeBSD.org> In-Reply-To: <54CFBFB9.9040801@FreeBSD.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2015 19:36:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02.02.2015 21:19, Lev Serebryakov wrote: >> It is possible to use non-existing interface name in via / xmit / >> recv option. It allows to write firewall which works with, say, >> VPN connection which is created AFTER firewall is loaded on >> boot. > >> But "nat X config if " doesn't allow to use non-existing >> interface name! It looks like very strict limitation, as it >> doesn't allow to include VPN to nat config! > >> Is here any solution for this problem? > Looking at "sbin/ipfw/nat.c:166" and > "sys/netpfil/ipfw/ip_fw_nat.c", it looks like this userland check > is too restrictive. > > But I'm not sure, that I'm right... To be honest, I don't understand code in sbin/ipfw/nat.c:80 (function set_addr_dynamic()) at all! First of all, it enumerates though interface list to find interface and store it index to "ifIndex" and MTU to "ifMTU" variables. After that, it continues to enumerate SAME data structure to find address. But "ifIndex" and "ifMTU" are never used again! - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUz9GsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePdF0QALinIRoUkZ1uUAiAUAbLHaGe JB6rKraVUt3ps37mUgiWFD6YaiVDA+lTgPpm85aRtc21b+I7CAPCu6urZqhlZtRc DMO/JCPLa6EPx2o2TA6UhCJ5AKHtmRb50V6KhhDXrR1NaZCQ+a5PZZY9D/MhHYa2 O/F8fFXr+9MHeocQ2ZjYvImjIVTM/nSGRLleq0M539I6Vsa/Eblw2fe/8ugSmTjB eKFuzxXM37QAcpj6exhuRIOxQy8Rp9WVCsm+j6RaMd3L5AjUNd+EP4Cjz3z9YlEx R2uJWlXwfxKo4wkCBC65R+IuHiRoQOr6COERKijmReAEBZ9w9CkpTbZ1Jv9Ri/bq WcanR8o+GO30QKXO1gLckTdikeDKLxsIfuf1CAgJivf9HSV8UzKy6ktdEF7rWP3d WoBmzpsoGpdzNhgCW2Px1J4ZXzM2mfzxxJCulFYfrapCC3G+fQ42ZmU5QXE9w6LZ xdMB5MivxSjxrnrFRAheG0BCaIJhR9FwT1HKulO/cxBZ21lcoe+aBwhOOr3GRC3u 70g2VX5Ey6V7PFWNsglaFKStQdAgavUqfGLBaMmnvqTT3jljPzdkQQrP7eBdwuVL sW8JgA2ksh/lHHIm0NYc1yMIYxrW+yB7tsVLtygTn+K0aQMXPTMB70Z05TWlCb2H tgGvKYbyYcm8X213znx/ =q9nY -----END PGP SIGNATURE-----