UDP forward issue with ipfw on Freebsd8

Ben Choi bchoi at sandvine.com
Thu Mar 21 20:29:41 UTC 2013 

Hi

When I try to forward incoming UDP packets to local host without providing destination port, no packets are forwarded.
My ipfw rule is:

     # ipfw add 100 fwd 127.0.0.1 ipv4 from any to any dst-port 8000-11999 recv em1

Since I am not giving any port number after 127.0.0.1, ipfw should forward the packets with the destination port in the packets, but it does not.

I checked ipfw code and udp_input() in udp_usrreq.c, and modified it to forward to the original ports in the packets like below.

#ifdef IPFIREWALL_FORWARD
                /*
                * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
                */
                fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
                if (fwd_tag != NULL) {
                                struct sockaddr_in *next_hop;

                               /*
                                * Do the hack.
                                */
                                next_hop = (struct sockaddr_in *)(fwd_tag + 1);
                                ip->ip_dst = next_hop->sin_addr;
                                if (next_hop->sin_port) {      // Add this line
                                                uh->uh_dport = htons(next_hop->sin_port);
                               }       // and this line
                                /*
                                * Remove the tag from the packet.  We don't need it anymore.
                                */
                                m_tag_delete(m, fwd_tag);
                }
#endif

Basically, only if forwarding port is given, the destination port is modified. If not, it leaves the original destination port.

After this changes ipfw can forward the packets to the local host. But I am facing another issue: I cannot send any packets with the same socket which I received the packets from.

I checked the codes thoroughly again and found that udp_input() changes the destination IP address and destination port with forward rule and calls in_pcblookup_hash() function with forward destination IP and port while in Freebsd6, the destination IP and port on mbuf are not modified and in_pcblookup_hash() is called with the original desitnation IP and port.
I am not very familiar with the Kernel codes so I don't know if this difference is the reason why that application cannot send response through the forwarded UDP sockets.
Does anyone have any idea on how to debug it or even to solve it?

Thank you very much for your help in advance,

Ben Choi

More information about the freebsd-ipfw mailing list