From marck@woozle.rinet.ru  Mon May  6 13:13:52 2002
Return-Path: <marck@woozle.rinet.ru>
Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68])
	by hub.freebsd.org (Postfix) with ESMTP id 2E1E537B405
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  6 May 2002 13:13:51 -0700 (PDT)
Received: (from marck@localhost)
	by woozle.rinet.ru (8.11.6/8.11.6) id g46KDnw11276;
	Tue, 7 May 2002 00:13:49 +0400 (MSD)
	(envelope-from marck)
Message-Id: <200205062013.g46KDnw11276@woozle.rinet.ru>
Date: Tue, 7 May 2002 00:13:49 +0400 (MSD)
From: Dmitry Morozovsky <marck@rinet.ru>
Reply-To: Dmitry Morozovsky <marck@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] ipfw_divert kernel module (for natd)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         37799
>Category:       i386
>Synopsis:       [patch] ipfw_divert kernel module (for natd)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    cjc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 06 13:20:01 PDT 2002
>Closed-Date:    Mon Aug 26 11:31:56 PDT 2002
>Last-Modified:  Mon Aug 26 11:31:56 PDT 2002
>Originator:     Dmitry Morozovsky
>Release:        FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD 4-STABLE (currently 4.6-PRE)


>Description:

If someone wants to use kernel-loadable ipfw with natd, [s]he has to either
recompile kernel with IPFIREWALL and IPDIVERT options, or recompile
ipfw.ko by hand using -DIPDIVERT

So, I suppose a little slave module may be used.


>How-To-Repeat:

[none]

>Fix:

Add sys/modules/ipfw_divert directory with Makefile in it:
---
# $FreeBSD$

MASTER= ../ipfw
CFLAGS+= -DIPDIVERT
KMOD=  ipfw-divert

.include "${MASTER}/Makefile"
----

Apply the following patch:

Index: modules/Makefile
===================================================================
RCS file: /home/ncvs/src/sys/modules/Makefile,v
retrieving revision 1.110.2.50
diff -u -r1.110.2.50 Makefile
--- modules/Makefile	4 May 2002 08:23:52 -0000	1.110.2.50
+++ modules/Makefile	6 May 2002 20:01:11 -0000
@@ -34,6 +34,7 @@
 	ip6fw \
 	ipfilter \
 	ipfw \
+	ipfw_divert \
 	ispfw \
 	joy \
 	kernfs \
Index: boot/forth/loader.conf
===================================================================
RCS file: /home/ncvs/src/sys/boot/forth/loader.conf,v
retrieving revision 1.25.2.18
diff -u -r1.25.2.18 loader.conf
--- boot/forth/loader.conf	28 Apr 2002 22:49:54 -0000	1.25.2.18
+++ boot/forth/loader.conf	6 May 2002 19:56:01 -0000
@@ -138,7 +138,8 @@
 if_ppp_load="NO"		# Kernel ppp
 if_sl_load="NO"			# SLIP
 if_tun_load="NO"		# Tunnel driver (user process ppp)
-ipfw_load="NO"			# Firewall
+ipfw_load="NO"			# Firewall (mutually exclusive with the next)
+ipfw_divert_load="NO"		# Firewall with divert
 
 
 ##############################################################
Index: modules/ipfw/Makefile
===================================================================
RCS file: /home/ncvs/src/sys/modules/ipfw/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- modules/ipfw/Makefile	28 Aug 1999 00:47:21 -0000	1.11
+++ modules/ipfw/Makefile	6 May 2002 19:37:26 -0000
@@ -1,7 +1,7 @@
 # $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11 1999/08/28 00:47:21 peter Exp $
 
 .PATH:	${.CURDIR}/../../netinet
-KMOD=	ipfw
+KMOD?=	ipfw
 SRCS=	ip_fw.c
 NOMAN=
 CFLAGS+= -DIPFIREWALL
>Release-Note:
>Audit-Trail:

From: Dmitry Morozovsky <marck@rinet.ru>
To: FreeBSD-gnats-submit@FreeBSD.org, <freebsd-bugs@FreeBSD.org>
Cc:  
Subject: Re: i386/37799: [patch] ipfw_divert kernel module (for natd)
Date: Tue, 7 May 2002 00:26:51 +0400 (MSD)

 Oops, a little typo occured.
 
 >Add sys/modules/ipfw_divert directory with Makefile in it:
 >---
 ># $FreeBSD$
 >
 >MASTER= ../ipfw
 >CFLAGS+= -DIPDIVERT
 >KMOD=  ipfw-divert
 >
 >.include "${MASTER}/Makefile"
 >----
 
 of course, should be
 
 KMOD=	ipfw_divert
 
 (typo bug due to hand typing instead of CVS output -- BTW, how can I
 obtain CVS diff for the file in new dir without write access to repo? ;-)
 
 Sidenote: this patch has been tested (maybe not thoroughly, but all main
 functionality) on today's -stable.
 
 Sincerely,
 D.Marck                                   [DM5020, DM268-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------
 

From: "Crist J. Clark" <cjc@FreeBSD.org>
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: i386/37799: [patch] ipfw_divert kernel module (for natd)
Date: Mon, 6 May 2002 22:39:14 -0700

 On Tue, May 07, 2002 at 12:13:49AM +0400, Dmitry Morozovsky wrote:
 [snip]
 
 > If someone wants to use kernel-loadable ipfw with natd, [s]he has to either
 > recompile kernel with IPFIREWALL and IPDIVERT options, or recompile
 > ipfw.ko by hand using -DIPDIVERT
 > 
 > So, I suppose a little slave module may be used.
 
 I don't think this will work. Did you try it? You need to have DIVERT
 defined when the kernel is compiled too (DIVERT appears in in_proto.c,
 ip_divert.c, ip_input.c, and ip_output.c).
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From: Dmitry Morozovsky <marck@rinet.ru>
To: "Crist J. Clark" <cjc@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: i386/37799: [patch] ipfw_divert kernel module (for natd)
Date: Tue, 7 May 2002 12:46:00 +0400 (MSD)

 On Mon, 6 May 2002, Crist J. Clark wrote:
 
 CJC> > If someone wants to use kernel-loadable ipfw with natd, [s]he has to either
 CJC> > recompile kernel with IPFIREWALL and IPDIVERT options, or recompile
 CJC> > ipfw.ko by hand using -DIPDIVERT
 CJC> >
 CJC> > So, I suppose a little slave module may be used.
 CJC>
 CJC> I don't think this will work. Did you try it? You need to have DIVERT
 CJC> defined when the kernel is compiled too (DIVERT appears in in_proto.c,
 CJC> ip_divert.c, ip_input.c, and ip_output.c).
 
 Ehgm. Yeah, you're certainly right. Need to dig into thoroughly. Please,
 put this PR into Suspend state so we can pick it up later.
 
 Thanks.
 
 [to myself: Don't try to be both creative and terse while running ;-)]
 
 Sincerely,
 D.Marck                                   [DM5020, DM268-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------
 
State-Changed-From-To: open->suspended 
State-Changed-By: cjc 
State-Changed-When: Thu May 9 12:17:16 PDT 2002 
State-Changed-Why:  
This is a non-trivial modification to the IP stack. I will put this in 
"suspended" for a two months, but if there isn't at least some 
"plan-of-attack" devised in that time, I'm going to close this up. 


Responsible-Changed-From-To: freebsd-bugs->cjc 
Responsible-Changed-By: cjc 
Responsible-Changed-When: Thu May 9 12:17:16 PDT 2002 
Responsible-Changed-Why:  
I will take this so it does not get forgotten and left in a 
suspend-limbo indefinately. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37799 
State-Changed-From-To: suspended->closed 
State-Changed-By: cjc 
State-Changed-When: Mon Aug 26 11:28:23 PDT 2002 
State-Changed-Why:  
This seems to have died. The two months I mentioned at the change to 
"suspended" status has long passed. 

I think the best resolution for this are some of the occasional 
remarks from developers to just always build in divert(4) 
capabilities. That approach would also render this PR moot. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37799 
>Unformatted:
