diff options
| author | andre <andre@FreeBSD.org> | 2005-02-22 17:40:40 +0000 |
|---|---|---|
| committer | andre <andre@FreeBSD.org> | 2005-02-22 17:40:40 +0000 |
| commit | 9094f4f16b2edec6f6ff3cad13b2e466bc92e104 (patch) | |
| tree | 27e1404f31af0c65be78d4fe952e2b86a85ad18d | |
| parent | 67b4f62450af59f85c9b21ddd07ab0a5011d36a4 (diff) | |
| download | FreeBSD-src-9094f4f16b2edec6f6ff3cad13b2e466bc92e104.zip FreeBSD-src-9094f4f16b2edec6f6ff3cad13b2e466bc92e104.tar.gz | |
Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option:
options IPFIREWALL_FORWARD_EXTENDED
This option has to be specified in addition to IPFIRWALL_FORWARD.
With this option even packets targeted for an IP address local
to the host can be redirected. All restrictions to ensure proper
behaviour for locally generated packets are turned off. Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.
Document the two kernel options.
PR: kern/71910
PR: kern/73129
MFC after: 1 week
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 15 | ||||
| -rw-r--r-- | sys/conf/NOTES | 6 | ||||
| -rw-r--r-- | sys/conf/options | 1 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 6 |
5 files changed, 38 insertions, 2 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 6c053da..3f4bc9a 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 22, 2004 +.Dd February 22, 2005 .Dt IPFW 8 .Os .Sh NAME @@ -672,6 +672,19 @@ This makes the .Xr netstat 1 entry look rather weird but is intended for use with transparent proxy servers. +.Pp +To enable +.Cm fwd +a custom kernel needs to be compiled with the option +.Cd "options IPFIREWALL_FORWARD" . +With the additional option +.Cd "options IPFIREWALL_FORWARD_EXTENDED" +all safeguards are removed and it also makes it possible to redirect +packets destined to locally configured IP addresses. +Please note that such rules apply to locally generated packets as +well and great care is required to ensure proper behaviour for +automatically generated packets like ICMP message size exceeded +and others. .It Cm pipe Ar pipe_nr Pass packet to a .Xr dummynet 4 diff --git a/sys/conf/NOTES b/sys/conf/NOTES index edf03b9..12f0c02 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -661,6 +661,11 @@ device stf #6to4 IPv6 over IPv4 encapsulation # to do some sort of policy routing or transparent proxying. Used by # ``ipfw forward''. # +# IPFIREWALL_FORWARD_EXTENDED enables full packet destination changing +# including redirecting packets to local IP addresses and ports. All +# redirections apply to locally generated packets too. Because of this +# great care is required when crafting the ruleset. +# # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide firewalls # from traceroute and similar tools. @@ -676,6 +681,7 @@ options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes +options IPFIREWALL_FORWARD_EXTENDED #all packet dest changes options IPV6FIREWALL #firewall for IPv6 options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT=100 diff --git a/sys/conf/options b/sys/conf/options index 008c932..347362d 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -351,6 +351,7 @@ IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h +IPFIREWALL_FORWARD_EXTENDED opt_ifpw.h IPV6FIREWALL opt_ip6fw.h IPV6FIREWALL_VERBOSE opt_ip6fw.h IPV6FIREWALL_VERBOSE_LIMIT opt_ip6fw.h diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index ecf79ae..6eaf3eb 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -468,7 +468,19 @@ tooshort: m->m_flags &= ~M_FASTFWD_OURS; goto ours; } +#ifndef IPFIREWALL_FORWARD_EXTENDED dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); +#else + if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { + /* + * Directly ship on the packet. This allows to forward packets + * that were destined for us to some other directly connected + * host. + */ + ip_forward(m, dchg); + return; + } +#endif /* IPFIREWALL_FORWARD_EXTENDED */ #endif /* IPFIREWALL_FORWARD */ passin: diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 59b8aef..056ffb6 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -706,18 +706,22 @@ spd_done: /* Or forward to some other address? */ fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (fwd_tag) { +#ifndef IPFIREWALL_FORWARD_EXTENDED if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) { +#endif dst = (struct sockaddr_in *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL; m_tag_delete(m, fwd_tag); goto again; +#ifndef IPFIREWALL_FORWARD_EXTENDED } else { m_tag_delete(m, fwd_tag); /* Continue. */ } - } #endif + } +#endif /* IPFIREWALL_FORWARD */ passout: /* 127/8 must not appear on wire - RFC1122. */ |
