Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Nov 2004 20:57:59 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-ipfw@freebsd.org
Cc:        "James R. Van Artsalen" <james@jrv.org>
Subject:   Re: FreeBSD 5.3 routing IPFW FWD'd packets?
Message-ID:  <200411302058.07224.max@love2party.net>
In-Reply-To: <41ACBEDF.3020001@jrv.org>
References:  <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> <41ACBEDF.3020001@jrv.org>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Tuesday 30 November 2004 19:41, James R. Van Artsalen wrote:
> Achim Patzner wrote:
> > Packets sent to the directly reachable net 192.168.254/8 (rule 64000)
> > seem to work.  Is it possible that packets are somehow being routed
> > after being FWD'd by IPFW?
> >
> > The counters show that the rule is applied, too. Just the "fwd" part
> > is not happening.
>
> I'm suspicious of this code in netinet/ip_output.c:
>
> #ifdef IPFIREWALL_FORWARD
> ...
>         fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
>         if (fwd_tag) {
>                 if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
>                         dst = (struct sockaddr_in *)&ro->ro_dst;
>                         bcopy((fwd_tag+1), dst, sizeof(struct
> sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL;
>                         m_tag_delete(m, fwd_tag);
>                         goto again;
>                 } else {
>                         m_tag_delete(m, fwd_tag);
>                         /* Continue. */
>                 }
>         }
> #endif
>
> passout:
>
> this seems to be where FWD is handled in this case.  The problem is that
> 33 lines above I see this code:
>
>         /* Jump over all PFIL processing if hooks are not active. */
>         if (inet_pfil_hook.ph_busy_count == -1)
>                 goto passout;
>
> It looks like me like IPFW forwarding isn't going to happen here unless
> there is some PFIL around.

That should be taken care of as IPFW is a PFIL consumer now. The only problem 
I can think of - right now - is that your kernel is missing "options 
IPFIREWALL_FORWARD". You might still want to try to move the "passout:"-label 
up just above the "#ifdef IPFIREWALL_FORWARD" line.

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQBBrNDPXyyEoT62BG0RAqdMAJ9ZnNwxTeRwAC0eBqkcqtElrEVN0wCfStmd
o/5qYBKVLHEUEyNnY7/OTwQ=
=PPks
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411302058.07224.max>