Attachment #40956 for bug #64240

View | Details | Raw Unified | Return to bug 64240
Collapse All | Expand All




.Xr divert 4
socket bound to port
.Ar port .
The search continues at the next rule.
(but see Section
.Sx BUGS
below).
.It Cm unreach Ar code
Discard packets that match this rule, and try to send an ICMP
unreachable notice with code

are reassembled before delivery to the socket.
The action used on those packet is the one from the
rule which matches the first fragment of the packet.
.Pp
Packets that match a
.Cm tee
rule should not be immediately accepted, but should continue
going through the rule list.
This may be fixed in a later version.
.Pp
Packets diverted to userland, and then reinserted by a userland process
may lose various packet attributes.

Lines 400-405 Link Here

(-)sys/netinet/ip_fw.h (+1 lines)
400	int flags; /* for dummynet */	400	int flags; /* for dummynet */
401		401
402	struct ipfw_flow_id f_id; /* grabbed from IP header */	402	struct ipfw_flow_id f_id; /* grabbed from IP header */
		403	int tee_continue; /* continue after packet tee */
403	u_int32_t retval;	404	u_int32_t retval;
404	};	405	};
405		406




 *	args->eh (in)	Mac header if present, or NULL for layer3 packet.
 *	args->oif	Outgoing interface, or NULL if packet is incoming.
 *		The incoming interface is in the mbuf. (in)
 *	args->divert_rule (in/out)
 *		Skip up to the first rule past this rule number;
 *		upon return, non-zero port number for divert or tee.
 *
 *	args->rule	Pointer to the last matching rule (in/out)
 *	args->next_hop	Socket we are forwarding to (out).
 *	args->f_id	Addresses grabbed from the packet (out)

		 * to restart processing.
		 *
		 * If fw_one_pass != 0 then just accept it.
		 * XXX should not happen here unless the packet was tee'd,
		 * but optimized out in the caller.
		 */
		if (fw_one_pass && !args->tee_continue) {
			IPFW_UNLOCK(chain);	/* XXX optimize */
			return 0;
		}
		/*
		 * Reset this so that fw_one_pass is obeyed if we
		 * land up here again for reasons other than tee_continue
		 */
		args->tee_continue = 0;

		f = args->rule->next_rule;
		if (f == NULL)

				    cmd->arg1 | IP_FW_PORT_TEE_FLAG;
				m_tag_prepend(m, mtag);
				retval = dt->info;
				args->rule = f; /* report matching rule */
				goto done;
			}


Lines 473-478 Link Here

(-)sys/netinet/ip_input.c (-4 / +7 lines)
473	if (args.next_hop)	473	if (args.next_hop)
474	goto ours;	474	goto ours;
475		475
		476	#ifdef IPDIVERT
		477	again:
		478	#endif
476	args.m = m;	479	args.m = m;
477	i = ip_fw_chk_ptr(&args);	480	i = ip_fw_chk_ptr(&args);
478	m = args.m;	481	m = args.m;
Lines 854-865 Link Here
854	divert_packet(m, 1);	857	divert_packet(m, 1);
855	ipstat.ips_delivered++;	858	ipstat.ips_delivered++;
856		859
857	/* If 'tee', continue with original packet */	860	/* If 'tee', continue processing firewall rules
		861	* with the original packet */
858	if (clone == NULL)	862	if (clone == NULL)
859	return;	863	return;
860	m = clone;	864	m = clone;
861	ip = mtod(m, struct ip *);
862	ip->ip_len += hlen;
863	/*	865	/*
864	* Jump backwards to complete processing of the	866	* Jump backwards to complete processing of the
865	* packet. We do not need to clear args.next_hop	867	* packet. We do not need to clear args.next_hop
Lines 867-873 Link Here
867	* doesn't contain a divert packet tag so we won't	869	* doesn't contain a divert packet tag so we won't
868	* re-entry this block.	870	* re-entry this block.
869	*/	871	*/
870	goto pass;	872	args.tee_continue = 1;
		873	goto again;
871	}	874	}
872	#endif	875	#endif
873		876

Lines 731-736 Link Here

(-)sys/netinet/ip_output.c (-3 / +9 lines)
731	if (fw_enable && IPFW_LOADED && !args.next_hop) {	731	if (fw_enable && IPFW_LOADED && !args.next_hop) {
732	struct sockaddr_in *old = dst;	732	struct sockaddr_in *old = dst;
733		733
		734	#ifdef IPDIVERT
		735	again:
		736	#endif
734	args.m = m;	737	args.m = m;
735	args.next_hop = dst;	738	args.next_hop = dst;
736	args.oif = ifp;	739	args.oif = ifp;
Lines 807-817 Link Here
807	/* Deliver packet to divert input routine */	810	/* Deliver packet to divert input routine */
808	divert_packet(m, 0);	811	divert_packet(m, 0);
809		812
810	/* If 'tee', continue with original packet */	813	/*
		814	* If 'tee', continue processing firewall
		815	* rules with the original packet
		816	*/
811	if (clone != NULL) {	817	if (clone != NULL) {
812	m = clone;	818	m = clone;
813	ip = mtod(m, struct ip *);	819	args.tee_continue = 1;
814	goto pass;	820	goto again;
815	}	821	}
816	goto done;	822	goto done;
817	}	823	}

Return to bug 64240

Lines 658-667 Link Here

(-)sbin/ipfw/ipfw.8 (-10 / +1 lines)
658	.Xr divert 4	658	.Xr divert 4
659	socket bound to port	659	socket bound to port
660	.Ar port .	660	.Ar port .
661	The search terminates and the original packet is accepted	661	The search continues at the next rule.
662	(but see Section
663	.Sx BUGS
664	below).
665	.It Cm unreach Ar code	662	.It Cm unreach Ar code
666	Discard packets that match this rule, and try to send an ICMP	663	Discard packets that match this rule, and try to send an ICMP
667	unreachable notice with code	664	unreachable notice with code
Lines 2169-2180 Link Here
2169	are reassembled before delivery to the socket.	2166	are reassembled before delivery to the socket.
2170	The action used on those packet is the one from the	2167	The action used on those packet is the one from the
2171	rule which matches the first fragment of the packet.	2168	rule which matches the first fragment of the packet.
2172	.Pp
2173	Packets that match a
2174	.Cm tee
2175	rule should not be immediately accepted, but should continue
2176	going through the rule list.
2177	This may be fixed in a later version.
2178	.Pp	2169	.Pp
2179	Packets diverted to userland, and then reinserted by a userland process	2170	Packets diverted to userland, and then reinserted by a userland process
2180	may lose various packet attributes.	2171	may lose various packet attributes.

Lines 1361-1370 Link Here

(-)sys/netinet/ip_fw2.c (-7 / +9 lines)
1361	* args->eh (in) Mac header if present, or NULL for layer3 packet.	1361	* args->eh (in) Mac header if present, or NULL for layer3 packet.
1362	* args->oif Outgoing interface, or NULL if packet is incoming.	1362	* args->oif Outgoing interface, or NULL if packet is incoming.
1363	* The incoming interface is in the mbuf. (in)	1363	* The incoming interface is in the mbuf. (in)
1364	* args->divert_rule (in/out)
1365	* Skip up to the first rule past this rule number;
1366	* upon return, non-zero port number for divert or tee.
1367	*
1368	* args->rule Pointer to the last matching rule (in/out)	1364	* args->rule Pointer to the last matching rule (in/out)
1369	* args->next_hop Socket we are forwarding to (out).	1365	* args->next_hop Socket we are forwarding to (out).
1370	* args->f_id Addresses grabbed from the packet (out)	1366	* args->f_id Addresses grabbed from the packet (out)
Lines 1554-1566 Link Here
1554	* to restart processing.	1550	* to restart processing.
1555	*	1551	*
1556	* If fw_one_pass != 0 then just accept it.	1552	* If fw_one_pass != 0 then just accept it.
1557	* XXX should not happen here, but optimized out in	1553	* XXX should not happen here unless the packet was tee'd,
1558	* the caller.	1554	* but optimized out in the caller.
1559	*/	1555	*/
1560	if (fw_one_pass) {	1556	if (fw_one_pass && !args->tee_continue) {
1561	IPFW_UNLOCK(chain); /* XXX optimize */	1557	IPFW_UNLOCK(chain); /* XXX optimize */
1562	return 0;	1558	return 0;
1563	}	1559	}
		1560	/*
		1561	* Reset this so that fw_one_pass is obeyed if we
		1562	* land up here again for reasons other than tee_continue
		1563	*/
		1564	args->tee_continue = 0;
1564		1565
1565	f = args->rule->next_rule;	1566	f = args->rule->next_rule;
1566	if (f == NULL)	1567	if (f == NULL)
Lines 2044-2049 Link Here
2044	cmd->arg1 \| IP_FW_PORT_TEE_FLAG;	2045	cmd->arg1 \| IP_FW_PORT_TEE_FLAG;
2045	m_tag_prepend(m, mtag);	2046	m_tag_prepend(m, mtag);
2046	retval = dt->info;	2047	retval = dt->info;
		2048	args->rule = f; /* report matching rule */
2047	goto done;	2049	goto done;
2048	}	2050	}
2049		2051