Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Mar 2001 07:52:11 -0800 (PST)
From:      bugs@daemon.se
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/26030: IPDIVERT problems with ipfw as module
Message-ID:  <200103231552.f2NFqBO68889@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         26030
>Category:       kern
>Synopsis:       IPDIVERT problems with ipfw as module
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 23 08:00:02 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Håkan Carlsson
>Release:        4.2-RELEASE
>Organization:
daemon software
>Environment:
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Feb  9 13:38:52
CET 2001     root@pro.easylogic.se:/usr/src/sys/compile/GENERIC  i386

>Description:
IPDIVERT does not work when built in to the ipfw module.
Have tested the same setup with a modified ipfw module (Makefile below)
and could not get the packets diverted to the receving process.
When IPDIVERT is built in to the kernel (along with IPFIREWALL etc)
it works...
It seems like the packets is discarded (see ipfw show logs below), ktrace-ing
the receiving process shows that there isn't any thing received in the
ipfw-moduel case.

# uname -a      # with IPDIVERT in ipfw module
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Feb  9 13:38:52
CET 2001     root@pro.easylogic.se:/usr/src/sys/compile/GENERIC  i386


# uname -a      # with IPDIVERT built into kernel
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Mar 23 15:23:03
GMT 2001     root@machine.dot.com:/usr/src/sys/compile/IPDIVERT  i386


# ipfw show     # with IPDIVERT in ipfw module
<some lines removed>
01200 11  660 divert 5555 ip from any to any recv xl0
01300  0    0 allow ip from any to any


# ipfw show     # with IPDIVERT built into kernel
<some lines removed>
01200 360 21504 divert 5555 ip from any to any recv xl0
01300 360 21504 allow ip from any to any


# cat /sys/modules/ipfw/Makefile
# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11 1999/08/28 00:47:21 peter Exp $

.PATH:  ${.CURDIR}/../../netinet
KMOD=   ipfw
SRCS=   ip_fw.c
NOMAN=
CFLAGS+= -DIPFIREWALL
#
#If you want it verbose
CFLAGS+= -DIPFIREWALL_VERBOSE
#CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
#
#If you want it to pass all packets by default
CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
#
#If you want ipdivert
CFLAGS+= -DIPDIVERT
#
.include <bsd.kmod.mk>


# cat /boot/loader.conf
ipfw_load="YES"                 # Firewall

>How-To-Repeat:
Trying to use IPDIVERT in ipfw-module (i guess natd would fail to).
>Fix:
Build a kernel with IPDIVERT (along with IPFIREWALL etc)
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103231552.f2NFqBO68889>