PERFORCE change 112448 for review
Paolo Pisati
piso at FreeBSD.org
Wed Jan 3 03:00:55 PST 2007
http://perforce.freebsd.org/chv.cgi?CH=112448
Change 112448 by piso at piso_newluxor on 2007/01/03 11:00:42
Wrap the ipfw nat support in a new kernel config option
named "IPFIREWALL_NAT".
Affected files ...
.. //depot/projects/soc2005/libalias/sys/conf/NOTES#16 edit
.. //depot/projects/soc2005/libalias/sys/conf/options#15 edit
.. //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#36 edit
Differences ...
==== //depot/projects/soc2005/libalias/sys/conf/NOTES#16 (text+ko) ====
@@ -835,6 +835,10 @@
# packets too. Because of this great care is required when
# crafting the ruleset.
#
+# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
+# LIBALIAS. To build an ipfw kld with nat support enabled, add
+# "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf.
+#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the TTL). This can be useful to hide firewalls
# from traceroute and similar tools.
@@ -850,6 +854,7 @@
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFIREWALL_FORWARD #packet destination changes
+options IPFIREWALL_NAT #ipfw kernel nat support
options IPDIVERT #divert sockets
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
==== //depot/projects/soc2005/libalias/sys/conf/options#15 (text+ko) ====
@@ -373,6 +373,7 @@
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
IPFIREWALL_FORWARD opt_ipfw.h
+IPFIREWALL_NAT opt_ipfw.h
IPSTEALTH
IPX
IPXIP opt_ipx.h
==== //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#36 (text+ko) ====
@@ -84,9 +84,10 @@
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/sctp.h>
-
+#ifdef IPFIREWALL_NAT
#include <netinet/libalias/alias.h>
#include <netinet/libalias/alias_local.h>
+#endif
#include <netgraph/ng_ipfw.h>
#include <altq/if_altq.h>
@@ -307,7 +308,9 @@
#endif /* INET6 */
#endif /* SYSCTL_NODE */
+#ifdef IPFIREWALL_NAT
MODULE_DEPEND(ipfw, libalias, 1, 1, 1);
+#endif
static int fw_deny_unknown_exthdrs = 1;
@@ -2036,6 +2039,7 @@
return match;
}
+#ifdef IPFIREWALL_NAT
static eventhandler_tag ifaddr_event_tag;
static void
@@ -2207,6 +2211,7 @@
/* something really bad happened: panic! */
panic("%s\n", panic_err);
}
+#endif
/*
* The main check routine for the firewall.
@@ -3437,6 +3442,7 @@
IP_FW_NETGRAPH : IP_FW_NGTEE;
goto done;
+#ifdef IPFIREWALL_NAT
case O_NAT: {
struct cfg_nat *t;
struct mbuf *mcl;
@@ -3607,6 +3613,7 @@
retval = IP_FW_NAT;
goto done;
}
+#endif
default:
panic("-- unknown opcode %d\n", cmd->opcode);
@@ -4556,6 +4563,7 @@
}
break;
+#ifdef IPFIREWALL_NAT
case IP_FW_NAT_CFG:
{
struct cfg_nat *ptr, *ser_n;
@@ -4734,6 +4742,7 @@
free(data, M_IPFW);
}
break;
+#endif
default:
printf("ipfw: ipfw_ctl invalid option %d\n", sopt->sopt_name);
@@ -4907,9 +4916,11 @@
ip_fw_ctl_ptr = ipfw_ctl;
ip_fw_chk_ptr = ipfw_chk;
callout_reset(&ipfw_timeout, hz, ipfw_tick, NULL);
+#ifdef IPFIREWALL_NAT
LIST_INIT(&layer3_chain.nat);
ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change,
NULL, EVENTHANDLER_PRI_ANY);
+#endif
return (0);
}
@@ -4917,13 +4928,16 @@
ipfw_destroy(void)
{
struct ip_fw *reap;
+#ifdef IPFIREWALL_NAT
struct cfg_nat *ptr, *ptr_temp;
+#endif
ip_fw_chk_ptr = NULL;
ip_fw_ctl_ptr = NULL;
callout_drain(&ipfw_timeout);
IPFW_WLOCK(&layer3_chain);
flush_tables(&layer3_chain);
+#ifdef IPFIREWALL_NAT
LIST_FOREACH_SAFE(ptr, &layer3_chain.nat, _next, ptr_temp) {
LIST_REMOVE(ptr, _next);
del_redir_spool_cfg(ptr, &ptr->redir_chain);
@@ -4931,6 +4945,7 @@
free(ptr, M_IPFW);
}
EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag);
+#endif
layer3_chain.reap = NULL;
free_chain(&layer3_chain, 1 /* kill default rule */);
reap = layer3_chain.reap, layer3_chain.reap = NULL;
More information about the p4-projects
mailing list