Date: Tue, 30 Nov 2004 20:57:59 +0100 From: Max Laier <max@love2party.net> To: freebsd-ipfw@freebsd.org Cc: "James R. Van Artsalen" <james@jrv.org> Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? Message-ID: <200411302058.07224.max@love2party.net> In-Reply-To: <41ACBEDF.3020001@jrv.org> References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> <41ACBEDF.3020001@jrv.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1539543.4BNNkCIXkr
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Tuesday 30 November 2004 19:41, James R. Van Artsalen wrote:
> Achim Patzner wrote:
> > Packets sent to the directly reachable net 192.168.254/8 (rule 64000)
> > seem to work. Is it possible that packets are somehow being routed
> > after being FWD'd by IPFW?
> >
> > The counters show that the rule is applied, too. Just the "fwd" part
> > is not happening.
>
> I'm suspicious of this code in netinet/ip_output.c:
>
> #ifdef IPFIREWALL_FORWARD
> ...
> fwd_tag =3D m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
> if (fwd_tag) {
> if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst))=
{
> dst =3D (struct sockaddr_in *)&ro->ro_dst;
> bcopy((fwd_tag+1), dst, sizeof(struct
> sockaddr_in)); m->m_flags |=3D M_SKIP_FIREWALL;
> m_tag_delete(m, fwd_tag);
> goto again;
> } else {
> m_tag_delete(m, fwd_tag);
> /* Continue. */
> }
> }
> #endif
>
> passout:
>
> this seems to be where FWD is handled in this case. The problem is that
> 33 lines above I see this code:
>
> /* Jump over all PFIL processing if hooks are not active. */
> if (inet_pfil_hook.ph_busy_count =3D=3D -1)
> goto passout;
>
> It looks like me like IPFW forwarding isn't going to happen here unless
> there is some PFIL around.
That should be taken care of as IPFW is a PFIL consumer now. The only probl=
em=20
I can think of - right now - is that your kernel is missing "options=20
IPFIREWALL_FORWARD". You might still want to try to move the "passout:"-lab=
el=20
up just above the "#ifdef IPFIREWALL_FORWARD" line.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1539543.4BNNkCIXkr
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBBrNDPXyyEoT62BG0RAqdMAJ9ZnNwxTeRwAC0eBqkcqtElrEVN0wCfStmd
o/5qYBKVLHEUEyNnY7/OTwQ=
=PPks
-----END PGP SIGNATURE-----
--nextPart1539543.4BNNkCIXkr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411302058.07224.max>