Date: Mon, 04 Oct 2010 14:23:24 -0700 From: Julian Elischer <julian@freebsd.org> To: Eduardo Meyer <dudu.meyer@gmail.com> Cc: Brandon Gooch <jamesbrandongooch@gmail.com>, ipfw@freebsd.org, Adrian Chadd <adrian@ucc.gu.uwa.edu.au> Subject: Re: layer2 ipfw 'fwd' support Message-ID: <4CAA45CC.8020304@freebsd.org> In-Reply-To: <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B@mail.gmail.com> References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com> <AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com> <AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com> <4CAA1E7B.1020107@freebsd.org> <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/4/10 12:18 PM, Eduardo Meyer wrote: > On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer<julian@freebsd.org> wrote: >> On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>> <jamesbrandongooch@gmail.com> wrote: >>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<dudu.meyer@gmail.com> >>>> wrote: >>>>> Hello, >>>>> >>>>> In the past I have used this patch by Luigi Rizzo, which helped me well. >>>>> >>>>> >>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>>>> >>>>> I tried with a friend to port it to -STABLE, but we were not able to >>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacked >>>>> to following piece of code: >>>>> >>>>> #ifdef IPFIREWALL_FORWARD >>>>> if (m->m_flags& M_FASTFWD_OURS) { >>>>> m->m_flags&= ~M_FASTFWD_OURS; >>>>> goto pass; /* XXX was 'ours' - SHOULD WE MODIFY IT HERE >>>>> */ >>>>> } >>>>> if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) >>>>> != 0) { >>>>> /* >>>>> * Directly ship the packet on. This allows forwarding >>>>> * packets originally destined to us to some other >>>>> directly >>>>> * connected host. >>>>> */ >>>>> ip_forward(m, dchg); >>>>> return; >>>>> } >>>>> #endif /* IPFIREWALL_FORWARD */ >>>>> >>>>> And this is something we are not sure if its correct. >>>>> >>>>> So my very obvious question is: >>>>> >>>>> Does anyone has a recent version of this patch to share? >>>>> >>>>> Can anyone familiar with ipfw source code help me with that? >>>>> >>>> I'm certainly not an expert, but I wonder if the patch your referring >>>> to is still required? Can you provide more detail about your >>>> particular application? >>>> >>>> -Brandon >>> Yes, its still required since ipfw fwd ignores layer2 frames. >>> >>> The application is the very same: squid. I mean, Lusca in fact (squid >>> fork). >>> >>> Thank you for your interest. >> Cisco/Ironport have a patch that does this.. >> I had permission to bring it back when I worked there but never got it >> committed. >> >> Adrian, was it part of the set I gave you? > Hello Elischer, > > Was this made public? > > I hope Chadd has some good news. In fact I tent to use with Lusca in > tproxy mode. I bet this is the only missing piece of software. > I just dug up my old changes. do you want to fwd from a bridge? or what? (it makes a difference what patches are needed) If you want to fwd from a bridge to make a transparent layer 2 proxy, this may help.. Here are parts of it that may be relevent: these are old (2007 I think) but may be of use still. adrian had the full set at ==quote adrian===== The stuff is in p4 now, but I haven't tested it out at all. //depo/projects/adrian_spoof_clientip/ I -think-. == end quote=== Index: net/if_bridge.c =================================================================== RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v retrieving revision 1.107 diff -u -r1.107 if_bridge.c --- net/if_bridge.c 6 Nov 2007 23:01:42 -0000 1.107 +++ net/if_bridge.c 28 Nov 2007 06:59:10 -0000 @@ -2908,6 +2908,11 @@ struct ip *ip; struct llc llc1; u_int16_t ether_type; + int is_ip = 0; +#ifdef IPFIREWALL_FORWARD + struct m_tag *fwd_tag; +#endif + snap = 0; error = -1; /* Default error if not error == 0 */ @@ -2967,6 +2972,7 @@ #ifdef INET6 case ETHERTYPE_IPV6: #endif /* INET6 */ + is_ip = 1; break; default: /* @@ -3024,6 +3030,30 @@ if (*mp == NULL) return (error); + +#ifdef IPFIREWALL_FORWARD + /* + * Did the firewall want to forward it somewhere? + * If so, let the ip stack handle it. + */ + if (i == 0&& args.next_hop != NULL&& + is_ip /*&& src != NULL */) { + + fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, + sizeof(struct sockaddr_in), M_NOWAIT); + if (fwd_tag == NULL) + goto drop; + bcopy(args.next_hop, (fwd_tag+1), + sizeof(struct sockaddr_in)); + m_tag_prepend(*mp, fwd_tag); + + if (in_localip(args.next_hop->sin_addr)) + (*mp)->m_flags |= M_FASTFWD_OURS; + ether_demux(src, *mp); + return (NULL); + } +#endif + if (DUMMYNET_LOADED&& (i == IP_FW_DUMMYNET)) { ================== Index: netinet/ip_fw2.c =================================================================== RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v retrieving revision 1.178 diff -u -r1.178 ip_fw2.c --- netinet/ip_fw2.c 28 Oct 2007 17:12:47 -0000 1.178 +++ netinet/ip_fw2.c 28 Nov 2007 06:59:10 -0000 @@ -3446,8 +3507,10 @@ case O_FORWARD_IP: { struct sockaddr_in *sa; sa =&(((ipfw_insn_sa *)cmd)->sa); +#if 0 if (args->eh) /* not valid on layer2 pkts */ break; +#endif if (!q || dyn_dir == MATCH_FORWARD) { if (sa->sin_addr.s_addr == INADDR_ANY) { bcopy(sa,&args->hopstore, ============================================= Index: netinet/ip_output.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CAA45CC.8020304>