From owner-freebsd-ipfw@FreeBSD.ORG  Mon Oct  4 22:56:28 2010
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 87483106564A;
	Mon,  4 Oct 2010 22:56:28 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com
	[209.85.214.54])
	by mx1.freebsd.org (Postfix) with ESMTP id C912E8FC13;
	Mon,  4 Oct 2010 22:56:27 +0000 (UTC)
Received: by bwz15 with SMTP id 15so5503649bwz.13
	for <multiple recipients>; Mon, 04 Oct 2010 15:56:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:received:in-reply-to
	:references:date:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=GE6xY9iWIjfQDmxg7wky06BaYzPBkiaaNspFri6n9dk=;
	b=HeZgYrJ7wJ0YQCZAKWsk5zpPHwKFM9SAA5OB8oLn9CGEWLugqsCgsew4s+YCUdF2PO
	fUu+zjA7UCT27tYCpgPpXHSWh/XyBruOlE1YpiZLGnbmhF/bBTdvXrJyAcHNFi4Rw76d
	oVbBLEso1oy1JhlOxwUqPmPCyP9HQhRPuBA84=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=EnaO5vRf9W7p+d3GfNeOVy0lwkMGCdNT6nwAQXtiTFYgNdZp4gmP4trbaxW7/kIspH
	LElEQXwwFfrrs2P/ooJWE6fO+blDRQS6zE9lqecLu2bxtsLEDr40rwEpe9PrQXDfc5Bn
	3T7Px36meJGDhdh0iCikxLf1WG0zJwM08j5Dk=
MIME-Version: 1.0
Received: by 10.223.126.11 with SMTP id a11mr9863190fas.25.1286232985400; Mon,
	04 Oct 2010 15:56:25 -0700 (PDT)
Received: by 10.223.35.203 with HTTP; Mon, 4 Oct 2010 15:56:25 -0700 (PDT)
In-Reply-To: <4CAA45CC.8020304@freebsd.org>
References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com>
	<AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com>
	<AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com>
	<4CAA1E7B.1020107@freebsd.org>
	<AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq+@mail.gmail.com>
	<4CAA45CC.8020304@freebsd.org>
Date: Mon, 4 Oct 2010 19:56:25 -0300
Message-ID: <AANLkTikwoNMKC-70O08=9xSEca0ZAgbZt=-96-PvJ8Pd@mail.gmail.com>
From: Eduardo Meyer <dudu.meyer@gmail.com>
To: Julian Elischer <julian@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Brandon Gooch <jamesbrandongooch@gmail.com>, ipfw@freebsd.org,
	Adrian Chadd <adrian@ucc.gu.uwa.edu.au>
Subject: Re: layer2 ipfw 'fwd' support
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2010 22:56:28 -0000

On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer <julian@freebsd.org> wrote:
> =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote:
>>
>> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer<julian@freebsd.org>
>> =A0wrote:
>>>
>>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote:
>>>>
>>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch
>>>> <jamesbrandongooch@gmail.com> =A0 =A0wrote:
>>>>>
>>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<dudu.meyer@gmail.com>
>>>>> =A0wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> In the past I have used this patch by Luigi Rizzo, which helped me
>>>>>> well.
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/00052=
6.html
>>>>>>
>>>>>> I tried with a friend to port it to -STABLE, but we were not able to
>>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacke=
d
>>>>>> to following piece of code:
>>>>>>
>>>>>> #ifdef IPFIREWALL_FORWARD
>>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0M_FASTFWD_OURS) {
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS;
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD=
 WE MODIFY IT HERE
>>>>>> */
>>>>>> =A0 =A0 =A0 =A0}
>>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NU=
LL) !=3D
>>>>>> NULL))
>>>>>> !=3D 0) {
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/*
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0Th=
is allows forwarding
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us =
to some other
>>>>>> directly
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host.
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg);
>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return;
>>>>>> =A0 =A0 =A0 =A0}
>>>>>> #endif /* IPFIREWALL_FORWARD */
>>>>>>
>>>>>> And this is something we are not sure if its correct.
>>>>>>
>>>>>> So my very obvious question is:
>>>>>>
>>>>>> Does anyone has a recent version of this patch to share?
>>>>>>
>>>>>> Can anyone familiar with ipfw source code help me with that?
>>>>>>
>>>>> I'm certainly not an expert, but I wonder if the patch your referring
>>>>> to is still required? Can you provide more detail about your
>>>>> particular application?
>>>>>
>>>>> -Brandon
>>>>
>>>> Yes, its still required since ipfw fwd ignores layer2 frames.
>>>>
>>>> The application is the very same: squid. I mean, Lusca in fact (squid
>>>> fork).
>>>>
>>>> Thank you for your interest.
>>>
>>> Cisco/Ironport have a patch that does this..
>>> I had permission to bring it back when I worked there but never got it
>>> committed.
>>>
>>> Adrian, was it part of the set I gave you?
>>
>> Hello Elischer,
>>
>> Was this made public?
>>
>> I hope Chadd has some good news. In fact I tent to use with Lusca in
>> tproxy mode. I bet this is the only missing piece of software.
>>
>
> I just dug up my old changes.
> do you want to fwd from a bridge? or what?
> (it makes a difference what patches are needed)

Yes, that's exactly what I want.

>
> If you want to fwd from a bridge to make a transparent layer 2 proxy, thi=
s
> may help..
>
>
> Here are parts of it that may be relevent:
> these are old (2007 I think) but may be of use still.

Thank you, I will try it right now.

>
> adrian had the full set at
>
> =3D=3Dquote adrian=3D=3D=3D=3D=3D
> =A0The stuff is in p4 now, but I haven't tested it out at all.
>
> =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-.
> =3D=3D end quote=3D=3D=3D
>
>
>
>
> Index: net/if_bridge.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v
> retrieving revision 1.107
> diff -u -r1.107 if_bridge.c
> --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.107
> +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000
> @@ -2908,6 +2908,11 @@
> =A0 =A0 =A0 =A0struct ip *ip;
> =A0 =A0 =A0 =A0struct llc llc1;
> =A0 =A0 =A0 =A0u_int16_t ether_type;
> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0;
> +#ifdef IPFIREWALL_FORWARD
> + =A0 =A0 =A0 struct m_tag *fwd_tag;
> +#endif
> +
>
> =A0 =A0 =A0 =A0snap =3D 0;
> =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error =3D=3D=
 0 */
> @@ -2967,6 +2972,7 @@
> =A0#ifdef INET6
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6:
> =A0#endif /* INET6 */
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1;
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break;
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default:
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/*
> @@ -3024,6 +3030,30 @@
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL)
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error);
> +
> +#ifdef IPFIREWALL_FORWARD
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/*
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it somew=
here?
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it.
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0args.next_hop !=3D NULL&=
&
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0src !=3D NULL=
 */) {
> +
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACKET=
_TAG_IPFORWARD,
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0sizeof(struct sockaddr_in),
> M_NOWAIT);
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL)
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop;
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_ta=
g+1),
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(stru=
ct sockaddr_in));
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag);
> +
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_hop=
->sin_addr))
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_fla=
gs |=3D M_FASTFWD_OURS;
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp);
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL);
> + =A0 =A0 =A0 =A0 =A0 =A0 =A0}
> +#endif
> +
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0(i =3D=3D IP_FW_D=
UMMYNET)) {
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Index: netinet/ip_fw2.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v
> retrieving revision 1.178
> diff -u -r1.178 ip_fw2.c
> --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.178
> +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000
>
> @@ -3446,8 +3507,10 @@
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: {
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct soc=
kaddr_in *sa;
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa =3D&(((=
ipfw_insn_sa *)cmd)->sa);
> +#if 0
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (args->=
eh) =A0 /* not valid on layer2 pkts
> */
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0break;
> +#endif
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!q || =
dyn_dir =3D=3D MATCH_FORWARD) {
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0if (sa->sin_addr.s_addr =3D=3D
> INADDR_ANY) {
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0bcopy(sa,&args->hopstore,
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Index: netinet/ip_output.c
>
>
>
>
>



--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Eduardo Meyer
pessoal: dudu.meyer@gmail.com
profissional: ddm.farmaciap@saude.gov.br