Route re-calculation in ip_output()
Jacques Fourie
jacques.fourie at gmail.com
Fri Oct 9 19:37:26 UTC 2009
On Fri, Oct 9, 2009 at 5:58 PM, Julian Elischer <julian at elischer.org> wrote:
> Jacques Fourie wrote:
>>
>> Hi,
>>
>> I've noticed what I believe to be a bug in ip_output(). The piece of
>> code in question is when the firewall changes the destination address
>> of an outgoing packet and the subsequent re-calculation of the route.
>> The issue should be clear from the attached diff - basically what
>> happens is that for the second route lookup dst can point to
>> ro->ro_rt->rt_gateway instead of &ro->ro_dst. It seems as if this
>> issue is present on 7,8 and 9?
>
> Is this a problem?
> generally, the aim of a fwd firewall rule is to set the next hop
> (gateway). so this may be what is required..
>
>
>>
>> --- ip_output.c 2009-10-09 10:37:40.537408240 +0200
>> +++ /home/jacques/ip_output.c 2009-10-09 10:43:46.232819440 +0200
>> @@ -521,8 +521,10 @@
>> #endif
>> error = netisr_queue(NETISR_IP, m);
>> goto done;
>> - } else
>> + } else {
>> + dst = (struct sockaddr_in *)&ro->ro_dst;
>> goto again; /* Redo the routing table lookup.
>> */
>> + }
>>
>>
>> Regards,
>> Jacques
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
If I understand everything correctly the handling of fwd rules seem to
do exactly what I propose in the patch. See the code starting with 'if
(fwd_tag) {' in ip_output.c?
As far as I understand it fwd rules do not change the destination IP
address in the mbuf so the patch will not affect the handling of fwd
rules.
Jacques
More information about the freebsd-net
mailing list