FreeBSD 5.3 routing IPFW FWD'd packets?

Max Laier max at love2party.net
Tue Nov 30 11:57:30 PST 2004 

On Tuesday 30 November 2004 19:41, James R. Van Artsalen wrote:
> Achim Patzner wrote:
> > Packets sent to the directly reachable net 192.168.254/8 (rule 64000)
> > seem to work.  Is it possible that packets are somehow being routed
> > after being FWD'd by IPFW?
> >
> > The counters show that the rule is applied, too. Just the "fwd" part
> > is not happening.
>
> I'm suspicious of this code in netinet/ip_output.c:
>
> #ifdef IPFIREWALL_FORWARD
> ...
>         fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
>         if (fwd_tag) {
>                 if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
>                         dst = (struct sockaddr_in *)&ro->ro_dst;
>                         bcopy((fwd_tag+1), dst, sizeof(struct
> sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL;
>                         m_tag_delete(m, fwd_tag);
>                         goto again;
>                 } else {
>                         m_tag_delete(m, fwd_tag);
>                         /* Continue. */
>                 }
>         }
> #endif
>
> passout:
>
> this seems to be where FWD is handled in this case.  The problem is that
> 33 lines above I see this code:
>
>         /* Jump over all PFIL processing if hooks are not active. */
>         if (inet_pfil_hook.ph_busy_count == -1)
>                 goto passout;
>
> It looks like me like IPFW forwarding isn't going to happen here unless
> there is some PFIL around.

That should be taken care of as IPFW is a PFIL consumer now. The only problem 
I can think of - right now - is that your kernel is missing "options 
IPFIREWALL_FORWARD". You might still want to try to move the "passout:"-label 
up just above the "#ifdef IPFIREWALL_FORWARD" line.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20041130/49899c16/attachment.bin

More information about the freebsd-ipfw mailing list