transparent squid bridge
Dan Vande More
dvm at firstlink.com
Mon Mar 15 08:08:48 PST 2004
/*Repost, does anyone have an answer?*/
Ok, to show I did try here's my diff on the manual patching. I've triple
checked my work, and everything appears to be the way it is supposed to
be.
I don't see the expected behavior, if anyone sees anything wrong, I
would appreciate some input.
Although the counter increases on rule 400 when a client requests a
webpage on the other side of the bridge, a 'tcpdump port 80' on
{proxy_server_ip_address} sees no packets whatsoever.
A tcpdump on the bridge server (tcpdump -n port 80) shows the packets
from the client going straight to the requested host, instead of being
hijacked and sent to the proxy server.
*************************************
bash-2.05b# egrep -v "^#" /etc/sysctl.conf
sysctl net.link.ether.bridge_cfg='xl0 dc0'
sysctl net.link.ether.bridge_ipfw=1
sysctl net.link.ether.bridge=1
sysctl net.inet.ip.forwarding=1
*************************************
**************************************
bash-2.05b# ipfw show
00100 56 2920 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 21 1078 fwd {proxy_server_ip_address} tcp from any to any
dst-port 80
65000 19137 2942276 allow ip from any to any
65535 0 0 deny ip from any to any
**************************************
The diff of the pre and post manual patched files
**************************************
bash-2.05b# diff -u ip_fw2.c.default ip_fw2.c
--- ip_fw2.c.working Fri Mar 12 12:26:51 2004
+++ ip_fw2.c Fri Mar 12 12:31:18 2004
@@ -2061,12 +2061,33 @@
goto done;
case O_FORWARD_IP:
+ #if 0
if (args->eh) /* not valid on layer2
pkts */
break;
+ #endif
if (!q || dyn_dir == MATCH_FORWARD)
args->next_hop =
&((ipfw_insn_sa *)cmd)->sa;
retval = 0;
+ if (args->eh) {
+ struct m_hdr tag;
+
+ if (hlen == 0) /* non IP */
+ break;
+ /*
+ * tag with PACKET_TAG_IPFORWARD
+ * call ip_input() (need ip_forwarding=1
+ * if this has to go out)
+ * mark packet as comsumed by the
firewall
+ */
+ tag.mh_type = MT_TAG;
+ tag.mh_flags = PACKET_TAG_IPFORWARD;
+ tag.mh_data = (caddr_t)args->next_hop;
+ tag.mh_next = m;
+ args->m = NULL;
+ retval = IP_FW_PORT_DENY_FLAG;
+ ip_input((struct mbuf *)&tag);
+ }
goto done;
default:
**************************************
ip_input:
**************************************
bash-2.05b# diff -u ip_input.c.working ip_input.c
--- ip_input.c.working Fri Mar 12 12:31:30 2004
+++ ip_input.c Fri Mar 12 12:32:38 2004
@@ -509,7 +509,7 @@
* skip the firewall a second time
*/
if (args.next_hop)
- goto ours;
+ goto pass; /* XXX was 'ours' */;
args.m = m;
i = ip_fw_chk_ptr(&args);
**************************************
uname -a
**************************************
FreeBSD squid.mydomain.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Fri
Mar 12 14:54:27 MST 2004
root at squid.mydomain.com:/usr/src/sys/i386/compile/squid i386
**************************************
Thanks again!
Dan Vande More
On Fri, 2004-03-12 at 11:04, Dan Vande More wrote:
> I did try it manually, several times. My question in that scenario, is:
>
> Will it still work with:
>
> src/sys/netinet/ip_fw2.c,v 1.51.2.1 2003/12/23 12:25:56 maxim
>
> and
>
> src/sys/netinet/ip_input.c,v 1.259 2003/11/26 20:31:13 andre
>
> When I did apply it manually, it *seemed* like it didn't work. I admit
> it could have easily been user error.
>
> Thanks!
>
> Dan
>
> On Fri, 2004-03-12 at 11:00, Luigi Rizzo wrote:
> > On Fri, Mar 12, 2004 at 10:51:10AM -0700, Dan Vande More wrote:
> > > Hey all
> >
> > how about applying the patch manually ? It is so trivial
> > it would have taken less than posting this message...
> >
> > cheers
> > luigi
> >
More information about the freebsd-ipfw
mailing list