From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 15 08:08:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F9B16A4CE for ; Mon, 15 Mar 2004 08:08:48 -0800 (PST) Received: from mail1.firstlink.com (mail1.firstlink.com [66.37.141.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 710A643D45 for ; Mon, 15 Mar 2004 08:08:48 -0800 (PST) (envelope-from dvm@firstlink.com) Received: from jackstraw (66-37-143-139.corp.firstlink.com [66.37.143.139]) by mail1.firstlink.com (Postfix) with ESMTP id 9D47CEBE0C for ; Mon, 15 Mar 2004 09:08:46 -0700 (MST) From: Dan Vande More To: freebsd-ipfw@freebsd.org In-Reply-To: <1079114684.1240.22.camel@dvmgentoo> References: <1079113870.1238.8.camel@dvmgentoo> <1079114684.1240.22.camel@dvmgentoo> Content-Type: text/plain Message-Id: <1079366908.1274.5.camel@dvmgentoo> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Mon, 15 Mar 2004 09:08:28 -0700 Content-Transfer-Encoding: 7bit Subject: Re: transparent squid bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dvm@firstlink.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Mar 2004 16:08:48 -0000 /*Repost, does anyone have an answer?*/ Ok, to show I did try here's my diff on the manual patching. I've triple checked my work, and everything appears to be the way it is supposed to be. I don't see the expected behavior, if anyone sees anything wrong, I would appreciate some input. Although the counter increases on rule 400 when a client requests a webpage on the other side of the bridge, a 'tcpdump port 80' on {proxy_server_ip_address} sees no packets whatsoever. A tcpdump on the bridge server (tcpdump -n port 80) shows the packets from the client going straight to the requested host, instead of being hijacked and sent to the proxy server. ************************************* bash-2.05b# egrep -v "^#" /etc/sysctl.conf sysctl net.link.ether.bridge_cfg='xl0 dc0' sysctl net.link.ether.bridge_ipfw=1 sysctl net.link.ether.bridge=1 sysctl net.inet.ip.forwarding=1 ************************************* ************************************** bash-2.05b# ipfw show 00100 56 2920 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 21 1078 fwd {proxy_server_ip_address} tcp from any to any dst-port 80 65000 19137 2942276 allow ip from any to any 65535 0 0 deny ip from any to any ************************************** The diff of the pre and post manual patched files ************************************** bash-2.05b# diff -u ip_fw2.c.default ip_fw2.c --- ip_fw2.c.working Fri Mar 12 12:26:51 2004 +++ ip_fw2.c Fri Mar 12 12:31:18 2004 @@ -2061,12 +2061,33 @@ goto done; case O_FORWARD_IP: + #if 0 if (args->eh) /* not valid on layer2 pkts */ break; + #endif if (!q || dyn_dir == MATCH_FORWARD) args->next_hop = &((ipfw_insn_sa *)cmd)->sa; retval = 0; + if (args->eh) { + struct m_hdr tag; + + if (hlen == 0) /* non IP */ + break; + /* + * tag with PACKET_TAG_IPFORWARD + * call ip_input() (need ip_forwarding=1 + * if this has to go out) + * mark packet as comsumed by the firewall + */ + tag.mh_type = MT_TAG; + tag.mh_flags = PACKET_TAG_IPFORWARD; + tag.mh_data = (caddr_t)args->next_hop; + tag.mh_next = m; + args->m = NULL; + retval = IP_FW_PORT_DENY_FLAG; + ip_input((struct mbuf *)&tag); + } goto done; default: ************************************** ip_input: ************************************** bash-2.05b# diff -u ip_input.c.working ip_input.c --- ip_input.c.working Fri Mar 12 12:31:30 2004 +++ ip_input.c Fri Mar 12 12:32:38 2004 @@ -509,7 +509,7 @@ * skip the firewall a second time */ if (args.next_hop) - goto ours; + goto pass; /* XXX was 'ours' */; args.m = m; i = ip_fw_chk_ptr(&args); ************************************** uname -a ************************************** FreeBSD squid.mydomain.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Fri Mar 12 14:54:27 MST 2004 root@squid.mydomain.com:/usr/src/sys/i386/compile/squid i386 ************************************** Thanks again! Dan Vande More On Fri, 2004-03-12 at 11:04, Dan Vande More wrote: > I did try it manually, several times. My question in that scenario, is: > > Will it still work with: > > src/sys/netinet/ip_fw2.c,v 1.51.2.1 2003/12/23 12:25:56 maxim > > and > > src/sys/netinet/ip_input.c,v 1.259 2003/11/26 20:31:13 andre > > When I did apply it manually, it *seemed* like it didn't work. I admit > it could have easily been user error. > > Thanks! > > Dan > > On Fri, 2004-03-12 at 11:00, Luigi Rizzo wrote: > > On Fri, Mar 12, 2004 at 10:51:10AM -0700, Dan Vande More wrote: > > > Hey all > > > > how about applying the patch manually ? It is so trivial > > it would have taken less than posting this message... > > > > cheers > > luigi > >