From nobody@FreeBSD.org  Fri Mar 23 07:52:11 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 36A5337B71A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 23 Mar 2001 07:52:11 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f2NFqBO68889;
	Fri, 23 Mar 2001 07:52:11 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200103231552.f2NFqBO68889@freefall.freebsd.org>
Date: Fri, 23 Mar 2001 07:52:11 -0800 (PST)
From: bugs@daemon.se
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPDIVERT problems with ipfw as module
X-Send-Pr-Version: www-1.0

>Number:         26030
>Category:       kern
>Synopsis:       IPDIVERT problems with ipfw as module
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 23 08:00:02 PST 2001
>Closed-Date:    Fri Mar 23 17:33:28 PST 2001
>Last-Modified:  Fri Mar 23 17:42:50 PST 2001
>Originator:     Hkan Carlsson
>Release:        4.2-RELEASE
>Organization:
daemon software
>Environment:
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Feb  9 13:38:52
CET 2001     root@pro.easylogic.se:/usr/src/sys/compile/GENERIC  i386

>Description:
IPDIVERT does not work when built in to the ipfw module.
Have tested the same setup with a modified ipfw module (Makefile below)
and could not get the packets diverted to the receving process.
When IPDIVERT is built in to the kernel (along with IPFIREWALL etc)
it works...
It seems like the packets is discarded (see ipfw show logs below), ktrace-ing
the receiving process shows that there isn't any thing received in the
ipfw-moduel case.

# uname -a      # with IPDIVERT in ipfw module
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Feb  9 13:38:52
CET 2001     root@pro.easylogic.se:/usr/src/sys/compile/GENERIC  i386


# uname -a      # with IPDIVERT built into kernel
FreeBSD machine.dot.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Fri Mar 23 15:23:03
GMT 2001     root@machine.dot.com:/usr/src/sys/compile/IPDIVERT  i386


# ipfw show     # with IPDIVERT in ipfw module
<some lines removed>
01200 11  660 divert 5555 ip from any to any recv xl0
01300  0    0 allow ip from any to any


# ipfw show     # with IPDIVERT built into kernel
<some lines removed>
01200 360 21504 divert 5555 ip from any to any recv xl0
01300 360 21504 allow ip from any to any


# cat /sys/modules/ipfw/Makefile
# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11 1999/08/28 00:47:21 peter Exp $

.PATH:  ${.CURDIR}/../../netinet
KMOD=   ipfw
SRCS=   ip_fw.c
NOMAN=
CFLAGS+= -DIPFIREWALL
#
#If you want it verbose
CFLAGS+= -DIPFIREWALL_VERBOSE
#CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
#
#If you want it to pass all packets by default
CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
#
#If you want ipdivert
CFLAGS+= -DIPDIVERT
#
.include <bsd.kmod.mk>


# cat /boot/loader.conf
ipfw_load="YES"                 # Firewall

>How-To-Repeat:
Trying to use IPDIVERT in ipfw-module (i guess natd would fail to).
>Fix:
Build a kernel with IPDIVERT (along with IPFIREWALL etc)
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: billf 
State-Changed-When: Fri Mar 23 17:33:28 PST 2001 
State-Changed-Why:  
Unfortunatly, this is a limitation of the current design 
of the BSD TCP/IP stack. IPDIVERT is used in more then just 
ip_fw.c, it is in multiple other files (ip_{input,output}.c). 

Changing this is non-trivial, though you may want to read 
an informative post to freebsd-current made by Terry Lambert 
on this exact same topic: 

http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=552825+556658+/usr/local/www/db/text/2000/freebsd-current/20001029.freebsd-current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26030 
>Unformatted:
