From owner-freebsd-ipfw@FreeBSD.ORG  Mon Oct  4 21:22:39 2010
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 63182106564A
	for <ipfw@freebsd.org>; Mon,  4 Oct 2010 21:22:39 +0000 (UTC)
	(envelope-from julian@freebsd.org)
Received: from out-0.mx.aerioconnect.net (outt.internet-mail-service.net
	[216.240.47.243])
	by mx1.freebsd.org (Postfix) with ESMTP id 402348FC08
	for <ipfw@freebsd.org>; Mon,  4 Oct 2010 21:22:38 +0000 (UTC)
Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160])
	by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id
	o94LMbS9008490; Mon, 4 Oct 2010 14:22:37 -0700
X-Client-Authorized: MaGic Cook1e
X-Client-Authorized: MaGic Cook1e
X-Client-Authorized: MaGic Cook1e
X-Client-Authorized: MaGic Cook1e
Received: from julian-mac.elischer.org
	(h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137])
	by idiom.com (Postfix) with ESMTP id 764232D601A;
	Mon,  4 Oct 2010 14:22:36 -0700 (PDT)
Message-ID: <4CAA45CC.8020304@freebsd.org>
Date: Mon, 04 Oct 2010 14:23:24 -0700
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US;
	rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: Eduardo Meyer <dudu.meyer@gmail.com>
References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com>	<AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com>	<AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com>	<4CAA1E7B.1020107@freebsd.org>
	<AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq+@mail.gmail.com>
In-Reply-To: <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq+@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51
Cc: Brandon Gooch <jamesbrandongooch@gmail.com>, ipfw@freebsd.org,
	Adrian Chadd <adrian@ucc.gu.uwa.edu.au>
Subject: Re: layer2 ipfw 'fwd' support
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2010 21:22:39 -0000

  On 10/4/10 12:18 PM, Eduardo Meyer wrote:
> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer<julian@freebsd.org>  wrote:
>>   On 10/4/10 10:16 AM, Eduardo Meyer wrote:
>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch
>>> <jamesbrandongooch@gmail.com>    wrote:
>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<dudu.meyer@gmail.com>
>>>>   wrote:
>>>>> Hello,
>>>>>
>>>>> In the past I have used this patch by Luigi Rizzo, which helped me well.
>>>>>
>>>>>
>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html
>>>>>
>>>>> I tried with a friend to port it to -STABLE, but we were not able to
>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacked
>>>>> to following piece of code:
>>>>>
>>>>> #ifdef IPFIREWALL_FORWARD
>>>>>         if (m->m_flags&    M_FASTFWD_OURS) {
>>>>>                 m->m_flags&= ~M_FASTFWD_OURS;
>>>>>                 goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE
>>>>> */
>>>>>         }
>>>>>         if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL))
>>>>> != 0) {
>>>>>                 /*
>>>>>                  * Directly ship the packet on.  This allows forwarding
>>>>>                  * packets originally destined to us to some other
>>>>> directly
>>>>>                  * connected host.
>>>>>                  */
>>>>>                 ip_forward(m, dchg);
>>>>>                 return;
>>>>>         }
>>>>> #endif /* IPFIREWALL_FORWARD */
>>>>>
>>>>> And this is something we are not sure if its correct.
>>>>>
>>>>> So my very obvious question is:
>>>>>
>>>>> Does anyone has a recent version of this patch to share?
>>>>>
>>>>> Can anyone familiar with ipfw source code help me with that?
>>>>>
>>>> I'm certainly not an expert, but I wonder if the patch your referring
>>>> to is still required? Can you provide more detail about your
>>>> particular application?
>>>>
>>>> -Brandon
>>> Yes, its still required since ipfw fwd ignores layer2 frames.
>>>
>>> The application is the very same: squid. I mean, Lusca in fact (squid
>>> fork).
>>>
>>> Thank you for your interest.
>> Cisco/Ironport have a patch that does this..
>> I had permission to bring it back when I worked there but never got it
>> committed.
>>
>> Adrian, was it part of the set I gave you?
> Hello Elischer,
>
> Was this made public?
>
> I hope Chadd has some good news. In fact I tent to use with Lusca in
> tproxy mode. I bet this is the only missing piece of software.
>

I just dug up my old changes.
do you want to fwd from a bridge? or what?
(it makes a difference what patches are needed)

If you want to fwd from a bridge to make a transparent layer 2 proxy, 
this may help..


Here are parts of it that may be relevent:
these are old (2007 I think) but may be of use still.

adrian had the full set at

==quote adrian=====
   The stuff is in p4 now, but I haven't tested it out at all.

     //depo/projects/adrian_spoof_clientip/   I -think-.
== end quote===




Index: net/if_bridge.c
===================================================================
RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v
retrieving revision 1.107
diff -u -r1.107 if_bridge.c
--- net/if_bridge.c	6 Nov 2007 23:01:42 -0000	1.107
+++ net/if_bridge.c	28 Nov 2007 06:59:10 -0000
@@ -2908,6 +2908,11 @@
  	struct ip *ip;
  	struct llc llc1;
  	u_int16_t ether_type;
+	int	is_ip = 0;
+#ifdef IPFIREWALL_FORWARD
+	struct m_tag *fwd_tag;
+#endif
+

  	snap = 0;
  	error = -1;	/* Default error if not error == 0 */
@@ -2967,6 +2972,7 @@
  #ifdef INET6
  		case ETHERTYPE_IPV6:
  #endif /* INET6 */
+			is_ip = 1;
  			break;
  		default:
  			/*
@@ -3024,6 +3030,30 @@

  		if (*mp == NULL)
  			return (error);
+
+#ifdef IPFIREWALL_FORWARD
+	       /*
+		* Did the firewall want to forward it somewhere?
+		* If so, let the ip stack handle it.
+		*/
+	       if (i == 0&&  args.next_hop != NULL&&
+			is_ip /*&&  src != NULL */) {
+
+		       fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
+				       sizeof(struct sockaddr_in), M_NOWAIT);
+		       if (fwd_tag == NULL)
+			       goto drop;
+		       bcopy(args.next_hop, (fwd_tag+1),
+				sizeof(struct sockaddr_in));
+		       m_tag_prepend(*mp, fwd_tag);
+
+		       if (in_localip(args.next_hop->sin_addr))
+			       (*mp)->m_flags |= M_FASTFWD_OURS;
+		       ether_demux(src, *mp);
+		       return (NULL);
+	       }
+#endif
+

  		if (DUMMYNET_LOADED&&  (i == IP_FW_DUMMYNET)) {

==================
Index: netinet/ip_fw2.c
===================================================================
RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.178
diff -u -r1.178 ip_fw2.c
--- netinet/ip_fw2.c	28 Oct 2007 17:12:47 -0000	1.178
+++ netinet/ip_fw2.c	28 Nov 2007 06:59:10 -0000

@@ -3446,8 +3507,10 @@
  			case O_FORWARD_IP: {
  				struct sockaddr_in *sa;
  				sa =&(((ipfw_insn_sa *)cmd)->sa);
+#if 0
  				if (args->eh)	/* not valid on layer2 pkts */
  					break;
+#endif
  				if (!q || dyn_dir == MATCH_FORWARD) {
  					if (sa->sin_addr.s_addr == INADDR_ANY) {
  						bcopy(sa,&args->hopstore,

=============================================
Index: netinet/ip_output.c