Date: Mon, 4 Oct 2010 16:18:17 -0300 From: Eduardo Meyer <dudu.meyer@gmail.com> To: Julian Elischer <julian@freebsd.org> Cc: Brandon Gooch <jamesbrandongooch@gmail.com>, ipfw@freebsd.org, Adrian Chadd <adrian@ucc.gu.uwa.edu.au> Subject: Re: layer2 ipfw 'fwd' support Message-ID: <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B@mail.gmail.com> In-Reply-To: <4CAA1E7B.1020107@freebsd.org> References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com> <AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com> <AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com> <4CAA1E7B.1020107@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 4, 2010 at 3:35 PM, Julian Elischer <julian@freebsd.org> wrote: > =A0On 10/4/10 10:16 AM, Eduardo Meyer wrote: >> >> On Mon, Oct 4, 2010 at 2:02 PM, Brandon Gooch >> <jamesbrandongooch@gmail.com> =A0wrote: >>> >>> On Mon, Oct 4, 2010 at 9:44 AM, Eduardo Meyer<dudu.meyer@gmail.com> >>> =A0wrote: >>>> >>>> Hello, >>>> >>>> In the past I have used this patch by Luigi Rizzo, which helped me wel= l. >>>> >>>> >>>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.= html >>>> >>>> I tried with a friend to port it to -STABLE, but we were not able to >>>> find out what has replaced mt_tag. Also on ip_input.c we dirty hacked >>>> to following piece of code: >>>> >>>> #ifdef IPFIREWALL_FORWARD >>>> =A0 =A0 =A0 =A0if (m->m_flags& =A0M_FASTFWD_OURS) { >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags&=3D ~M_FASTFWD_OURS; >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto pass; /* XXX was 'ours' - SHOULD W= E MODIFY IT HERE >>>> */ >>>> =A0 =A0 =A0 =A0} >>>> =A0 =A0 =A0 =A0if ((dchg =3D (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL= ) !=3D NULL)) >>>> !=3D 0) { >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * Directly ship the packet on. =A0This= allows forwarding >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * packets originally destined to us to= some other >>>> directly >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * connected host. >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip_forward(m, dchg); >>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; >>>> =A0 =A0 =A0 =A0} >>>> #endif /* IPFIREWALL_FORWARD */ >>>> >>>> And this is something we are not sure if its correct. >>>> >>>> So my very obvious question is: >>>> >>>> Does anyone has a recent version of this patch to share? >>>> >>>> Can anyone familiar with ipfw source code help me with that? >>>> >>> I'm certainly not an expert, but I wonder if the patch your referring >>> to is still required? Can you provide more detail about your >>> particular application? >>> >>> -Brandon >> >> Yes, its still required since ipfw fwd ignores layer2 frames. >> >> The application is the very same: squid. I mean, Lusca in fact (squid >> fork). >> >> Thank you for your interest. > > Cisco/Ironport have a patch that does this.. > I had permission to bring it back when I worked there but never got it > committed. > > Adrian, was it part of the set I gave you? Hello Elischer, Was this made public? I hope Chadd has some good news. In fact I tent to use with Lusca in tproxy mode. I bet this is the only missing piece of software. --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B>