Bug 26030

Summary: IPDIVERT problems with ipfw as module
Product: Base System Reporter: bugs <bugs>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.2-RELEASE   
Hardware: Any   
OS: Any   

Description bugs 2001-03-23 16:00:02 UTC 
IPDIVERT does not work when built in to the ipfw module.
Have tested the same setup with a modified ipfw module (Makefile below)
and could not get the packets diverted to the receving process.
When IPDIVERT is built in to the kernel (along with IPFIREWALL etc)
it works...
It seems like the packets is discarded (see ipfw show logs below), ktrace-ing
the receiving process shows that there isn't any thing received in the
ipfw-moduel case.

# uname -a      # with IPDIVERT in ipfw module
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Feb  9 13:38:52
CET 2001     root@pro.easylogic.se:/usr/src/sys/compile/GENERIC  i386


# uname -a      # with IPDIVERT built into kernel
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Mar 23 15:23:03
GMT 2001     root@machine.dot.com:/usr/src/sys/compile/IPDIVERT  i386


# ipfw show     # with IPDIVERT in ipfw module
<some lines removed>
01200 11  660 divert 5555 ip from any to any recv xl0
01300  0    0 allow ip from any to any


# ipfw show     # with IPDIVERT built into kernel
<some lines removed>
01200 360 21504 divert 5555 ip from any to any recv xl0
01300 360 21504 allow ip from any to any


# cat /sys/modules/ipfw/Makefile
# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11 1999/08/28 00:47:21 peter Exp $

.PATH:  ${.CURDIR}/../../netinet
KMOD=   ipfw
SRCS=   ip_fw.c
NOMAN=
CFLAGS+= -DIPFIREWALL
#
#If you want it verbose
CFLAGS+= -DIPFIREWALL_VERBOSE
#CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
#
#If you want it to pass all packets by default
CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
#
#If you want ipdivert
CFLAGS+= -DIPDIVERT
#
.include <bsd.kmod.mk>


# cat /boot/loader.conf
ipfw_load="YES"                 # Firewall

Fix: 

Build a kernel with IPDIVERT (along with IPFIREWALL etc)
How-To-Repeat: Trying to use IPDIVERT in ipfw-module (i guess natd would fail to).
Comment 1 bill fumerola freebsd_committer freebsd_triage 2001-03-24 01:33:28 UTC 
State Changed
From-To: open->closed

Unfortunatly, this is a limitation of the current design 
of the BSD TCP/IP stack. IPDIVERT is used in more then just 
ip_fw.c, it is in multiple other files (ip_{input,output}.c). 

Changing this is non-trivial, though you may want to read 
an informative post to freebsd-current made by Terry Lambert 
on this exact same topic: 

http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=552825+556658+/usr/local/www/db/text/2000/freebsd-current/20001029.freebsd-current