Date: Thu, 7 Oct 2010 22:23:57 +0300 From: Eduardo Meyer <dudu.meyer@gmail.com> To: Julian Elischer <julian@freebsd.org>, ipfw@freebsd.org Subject: Re: layer2 ipfw 'fwd' support Message-ID: <AANLkTik2KEYACzjfTS%2BXpB3OiaJL-uYckbLbf2C0DWaS@mail.gmail.com> In-Reply-To: <4CACE7DE.9020106@freebsd.org> References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com> <AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com> <AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com> <4CAA1E7B.1020107@freebsd.org> <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B@mail.gmail.com> <4CAA45CC.8020304@freebsd.org> <AANLkTikAd_fke1HfMgRy3h4fXpo7_DcX3E4%2BTu__3my8@mail.gmail.com> <4CAB8B35.7020703@freebsd.org> <AANLkTi=hoe%2BCaV6%2BbyagXYwzDRAHqCseh-M_44OxEeJO@mail.gmail.com> <4CACE7DE.9020106@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 7, 2010 at 12:19 AM, Julian Elischer <julian@freebsd.org> wrote= : > =A0On 10/6/10 12:06 PM, Eduardo Meyer wrote: >> >> On Tue, Oct 5, 2010 at 5:31 PM, Julian Elischer<julian@freebsd.org> >> =A0wrote: >>> >>> =A0On 10/5/10 12:56 PM, Eduardo Meyer wrote: >>>> >>>> On Mon, Oct 4, 2010 at 6:23 PM, Julian Elischer<julian@freebsd.org> >>>> =A0wrote: >>>>> >>>>> =A0On 10/4/10 12:18 PM, Eduardo Meyer wrote: >>>>>> >>>>>> On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer<julian@freebsd.org> >>>>>> =A0wrote: >>>>>>> >>>>>>> =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >>>>>>>> >>>>>>>> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >>>>>>>> <jamesbrandongooch@gmail.com> =A0 =A0 =A0 =A0wrote: >>>>>>>>> >>>>>>>>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<dudu.meyer@gmail.co= m> >>>>>>>>> =A0wrote: >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> In the past I have used this patch by Luigi Rizzo, which helped = me >>>>>>>>>> well. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/0= 00526.html >>>>>>>>>> >>>>>>>>>> I tried with a friend to port it to -STABLE, but we were not abl= e >>>>>>>>>> to >>>>>>>>>> find out what has replaced mt_tag. Also on ip_input.c we dirty >>>>>>>>>> hacked >>>>>>>>>> to following piece of code: >>>>>>>>>> >>>>>>>>>> #ifdef IPFIREWALL_FORWARD >>>>>>>>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0 =A0 =A0 =A0M_FASTFWD_OURS) { >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SH= OULD WE MODIFY IT >>>>>>>>>> HERE >>>>>>>>>> */ >>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD= , NULL) !=3D >>>>>>>>>> NULL)) >>>>>>>>>> !=3D 0) { >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. = =A0This allows >>>>>>>>>> forwarding >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to= us to some other >>>>>>>>>> directly >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>>>>>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>>>>>>>> =A0 =A0 =A0 =A0} >>>>>>>>>> #endif /* IPFIREWALL_FORWARD */ >>>>>>>>>> >>>>>>>>>> And this is something we are not sure if its correct. >>>>>>>>>> >>>>>>>>>> So my very obvious question is: >>>>>>>>>> >>>>>>>>>> Does anyone has a recent version of this patch to share? >>>>>>>>>> >>>>>>>>>> Can anyone familiar with ipfw source code help me with that? >>>>>>>>>> >>>>>>>>> I'm certainly not an expert, but I wonder if the patch your >>>>>>>>> referring >>>>>>>>> to is still required? Can you provide more detail about your >>>>>>>>> particular application? >>>>>>>>> >>>>>>>>> -Brandon >>>>>>>> >>>>>>>> Yes, its still required since ipfw fwd ignores layer2 frames. >>>>>>>> >>>>>>>> The application is the very same: squid. I mean, Lusca in fact >>>>>>>> (squid >>>>>>>> fork). >>>>>>>> >>>>>>>> Thank you for your interest. >>>>>>> >>>>>>> Cisco/Ironport have a patch that does this.. >>>>>>> I had permission to bring it back when I worked there but never got >>>>>>> it >>>>>>> committed. >>>>>>> >>>>>>> Adrian, was it part of the set I gave you? >>>>>> >>>>>> Hello Elischer, >>>>>> >>>>>> Was this made public? >>>>>> >>>>>> I hope Chadd has some good news. In fact I tent to use with Lusca in >>>>>> tproxy mode. I bet this is the only missing piece of software. >>>>>> >>>>> I just dug up my old changes. >>>>> do you want to fwd from a bridge? or what? >>>>> (it makes a difference what patches are needed) >>>>> >>>>> If you want to fwd from a bridge to make a transparent layer 2 proxy, >>>>> this >>>>> may help.. >>>>> >>>>> >>>>> Here are parts of it that may be relevent: >>>>> these are old (2007 I think) but may be of use still. >>>>> >>>>> adrian had the full set at >>>>> >>>>> =3D=3Dquote adrian=3D=3D=3D=3D=3D >>>>> =A0The stuff is in p4 now, but I haven't tested it out at all. >>>>> >>>>> =A0 =A0//depo/projects/adrian_spoof_clientip/ =A0 I -think-. >>>>> =3D=3D end quote=3D=3D=3D >>>>> >>>>> >>>>> >>>>> >>>>> Index: net/if_bridge.c >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/net/if_bridge.c,v >>>>> retrieving revision 1.107 >>>>> diff -u -r1.107 if_bridge.c >>>>> --- net/if_bridge.c =A0 =A0 6 Nov 2007 23:01:42 -0000 =A0 =A0 =A0 1.1= 07 >>>>> +++ net/if_bridge.c =A0 =A0 28 Nov 2007 06:59:10 -0000 >>>>> @@ -2908,6 +2908,11 @@ >>>>> =A0 =A0 =A0 =A0struct ip *ip; >>>>> =A0 =A0 =A0 =A0struct llc llc1; >>>>> =A0 =A0 =A0 =A0u_int16_t ether_type; >>>>> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >>>>> +#ifdef IPFIREWALL_FORWARD >>>>> + =A0 =A0 =A0 struct m_tag *fwd_tag; >>>>> +#endif >>>>> + >>>>> >>>>> =A0 =A0 =A0 =A0snap =3D 0; >>>>> =A0 =A0 =A0 =A0error =3D -1; =A0 =A0 /* Default error if not error = =3D=3D 0 */ >>>>> @@ -2967,6 +2972,7 @@ >>>>> =A0#ifdef INET6 >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case ETHERTYPE_IPV6: >>>>> =A0#endif /* INET6 */ >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip =3D 1; >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default: >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>> @@ -3024,6 +3030,30 @@ >>>>> >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (*mp =3D=3D NULL) >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (error); >>>>> + >>>>> +#ifdef IPFIREWALL_FORWARD >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it s= omewhere? >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 =A0 =A0args.next_ho= p !=3D NULL&& >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 =A0 =A0s= rc !=3D NULL */) { >>>>> + >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PA= CKET_TAG_IPFORWARD, >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0sizeof(struct sockaddr_in), >>>>> M_NOWAIT); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto dro= p; >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fw= d_tag+1), >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(= struct sockaddr_in)); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_t= ag); >>>>> + >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next= _hop->sin_addr)) >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m= _flags |=3D M_FASTFWD_OURS; >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ether_demux(src, *mp); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >>>>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >>>>> +#endif >>>>> + >>>>> >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (DUMMYNET_LOADED&& =A0 =A0 =A0(i = =3D=3D IP_FW_DUMMYNET)) { >>>>> >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> Index: netinet/ip_fw2.c >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> RCS file: /usr/local/cvsroot/freebsd/src/sys/netinet/ip_fw2.c,v >>>>> retrieving revision 1.178 >>>>> diff -u -r1.178 ip_fw2.c >>>>> --- netinet/ip_fw2.c =A0 =A028 Oct 2007 17:12:47 -0000 =A0 =A0 =A01.1= 78 >>>>> +++ netinet/ip_fw2.c =A0 =A028 Nov 2007 06:59:10 -0000 >>>>> >>>>> @@ -3446,8 +3507,10 @@ >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case O_FORWARD_IP: { >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct= sockaddr_in *sa; >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sa =3D= &(((ipfw_insn_sa *)cmd)->sa); >>>>> +#if 0 >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (ar= gs->eh) =A0 /* not valid on layer2 >>>>> pkts >>>>> */ >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0break; >>>>> +#endif >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!q= || dyn_dir =3D=3D MATCH_FORWARD) { >>>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0if (sa->sin_addr.s_addr =3D=3D >>>>> INADDR_ANY) { >>>>> >>>>> =A0bcopy(sa,&args->hopstore, >>>>> >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> Index: netinet/ip_output.c >>>> >>>> Dear Julian, >>>> >>>> Is anything missing from the above code? Say, like ip_output stuff? >>>> >>>> I have tried what you sent me, compiled fine but did not work. >>>> >>>> Here is my only rule (I have tried both with and without layer2 on the >>>> rule): >>>> >>>> 00001 =A0 =A0 =A0 =A036 =A0 =A0 =A0 =A04338 fwd 127.0.0.1,80 tcp from = any to not me >>>> dst-port 80 layer2 >>>> 65535 32842101 2107060460 allow ip from any to any >>>> >>>> Here are the sysctl tunables: >>>> >>>> net.link.bridge.ipfw: 1 >>>> net.link.bridge.inherit_mac: 0 >>>> net.link.bridge.log_stp: 0 >>>> net.link.bridge.pfil_local_phys: 0 >>>> net.link.bridge.pfil_member: 0 >>>> net.link.bridge.pfil_bridge: 1 >>>> net.link.bridge.ipfw_arp: 0 >>>> net.link.bridge.pfil_onlyip: 0 >>>> net.link.ether.inet.log_arp_permanent_modify: 1 >>>> net.link.ether.inet.log_arp_movements: 1 >>>> net.link.ether.inet.log_arp_wrong_iface: 1 >>>> net.link.ether.inet.proxyall: 0 >>>> net.link.ether.inet.useloopback: 1 >>>> net.link.ether.inet.maxtries: 5 >>>> net.link.ether.inet.max_age: 1200 >>>> net.link.ether.ipfw: 1 >>>> >>>> And my bridge: >>>> >>>> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> =A0 =A0m= etric 0 >>>> mtu >>>> 1500 >>>> =A0 =A0 =A0 =A0 ether 16:52:8e:91:2f:45 >>>> =A0 =A0 =A0 =A0 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddel= ay 15 >>>> =A0 =A0 =A0 =A0 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 120= 0 >>>> =A0 =A0 =A0 =A0 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port= 0 >>>> =A0 =A0 =A0 =A0 member: vr0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUT= OPTP> >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 5 priority 128 path c= ost 200000 >>>> =A0 =A0 =A0 =A0 member: sis0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AU= TOPTP> >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifmaxaddr 0 port 1 priority 128 path c= ost 200000 >>>> >>>> The ipfw counter gets increased by nothing hits by Apache. Instead I >>>> go to Internet directly. >>>> >>>> sis0 is on internet, vr0 is cross-over to the laptop (customer). >>>> >>>> How should I debug it? >>>> >>>> >>> basically I woud suggest code inspection for a start.. >>> >>> look at where ipfw is called (just before where the patch went in) and >>> follow the packet up into ipfw >>> and back, =A0and read what it would do.. >>> >>> It's actually not a very hard path to follow. >>> >>> I'll try look at it after work.. >> >> Hello Julian / Adrian. >> >> Thank you for your attention. A friend added some log entries so we >> could try to find out what gets run and what doesnt. >> >> Here is my current patch against RELENG_8: >> >> --- if_bridge.c.orig =A0 =A02010-09-11 22:02:36.000000000 +0000 >> +++ if_bridge.c 2010-10-05 17:59:13.000000000 +0000 >> @@ -2957,6 +2957,13 @@ >> =A0 =A0 =A0 =A0 struct ip *ip; >> =A0 =A0 =A0 =A0 struct llc llc1; >> =A0 =A0 =A0 =A0 u_int16_t ether_type; >> + =A0 =A0 =A0 int =A0 =A0 is_ip =3D 0; >> +#ifdef IPFIREWALL_FORWARD >> + =A0 =A0 =A0 struct m_tag *fwd_tag; >> +#endif >> + >> + >> + >> >> =A0 =A0 =A0 =A0 snap =3D 0; >> =A0 =A0 =A0 =A0 error =3D -1; =A0 =A0 /* Default error if not error =3D= =3D 0 */ >> @@ -3016,6 +3023,8 @@ >> =A0#ifdef INET6 >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case ETHERTYPE_IPV6: >> =A0#endif /* INET6 */ >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip=3D1; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 0= : is_ip=3D%i\n",is_ip); >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 default: >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* >> @@ -3091,6 +3100,32 @@ >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (*mp =3D=3D NULL) >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (error); >> >> +#ifdef IPFIREWALL_FORWARD >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Did the firewall want to forward it some= where? >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 * If so, let the ip stack handle it. >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >> + =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 1"); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0if (i =3D=3D 0&& =A0 args.next_hop !=3D NUL= L&& >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 is_ip /*&& =A0 src !=3D NU= LL */) { >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NOTICE, "Entered 2= "); >> + >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0fwd_tag =3D m_tag_get(PACKE= T_TAG_IPFORWARD, >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0sizeof(struct sockaddr_in), >> M_NOWAIT); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (fwd_tag =3D=3D NULL) >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0bcopy(args.next_hop, (fwd_t= ag+1), >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sizeof(str= uct sockaddr_in)); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_tag_prepend(*mp, fwd_tag)= ; >> + >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (in_localip(args.next_ho= p->sin_addr)) >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*mp)->m_fl= ags |=3D M_FASTFWD_OURS; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ether_demux(src, *mp); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (NULL); >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0} >> +#endif >> + >> + >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (ip_dn_io_ptr&& =A0(i =3D=3D IP_FW_DU= MMYNET)) { >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* put the Ethernet head= er back on */ >> --- ../netinet/ipfw/ip_fw2.c.orig =A0 =A0 =A0 2010-09-16 15:11:17.000000= 000 >> +0000 >> +++ ../netinet/ipfw/ip_fw2.c =A0 =A02010-10-06 12:17:12.000000000 +0000 >> @@ -2059,8 +2059,14 @@ >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 case O_FORWARD_IP: >> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args->= eh) =A0 /* not valid on layer2 >> pkts */ >> +#if 0 >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* not val= id on layer2 pkts */ >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (args->= eh) { >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 log(LOG_NOTICE, "ip_fw2.c Entered >> 1"); >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 break; >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 } >> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 log(LOG_NO= TICE, "ip_fw2.c Entered 2"); > > these will never happen as they are in the #if 0 =A0section. > > the #if 0 is to REMOVE that code from being compiled. > > >> +#endif Hello Julian, Thank you again for your feedback. I appreciate it very much. On my understanding this "if 0" was to really ignore this portion of code, because as I understand what is does is to break (leave the loop) if the packet is on layer2, and this is something we would not want, but I guess I am wrong. I tested now with your suggestion, and what we get is: Oct 7 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 Oct 7 15:45:16 phoenix kernel: ip_fw2.c Entered 1 Oct 7 15:45:16 phoenix kernel: Entered 0: is_ip=3D1 Oct 7 15:45:50 phoenix last message repeated 29 times Oct 7 15:47:53 phoenix last message repeated 237 times Oct 7 15:57:56 phoenix last message repeated 1029 times Oct 7 16:02:51 phoenix last message repeated 655 times Oct 7 16:02:51 phoenix kernel: ip_fw2.c Entered 1 Oct 7 16:02:51 phoenix kernel: Entered 0: is_ip=3D1 Oct 7 16:03:23 phoenix last message repeated 54 times Oct 7 16:05:24 phoenix last message repeated 345 times Oct 7 16:15:26 phoenix last message repeated 1135 times Oct 7 16:15:33 phoenix last message repeated 8 times So yes, we entered on ipfw code now, and executed only the instruction before we "break". The curious thing is that the counter did not count now with both: 00001 0 0 fwd 127.0.0.1,80 tcp from any to not me dst-port 80 lay= er2 00001 0 0 fwd 127.0.0.1,80 tcp from any to not me dst-port 80 How can I move forth? --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTik2KEYACzjfTS%2BXpB3OiaJL-uYckbLbf2C0DWaS>