I may have spoken too soon.
It lets me add the same entry multiple times, and it does not let me delete it. This would imply that the check to see if it is already in the list (ip_nat.c line ~650) is failing for some reason when I add nodes. It calls bcmp from in_flags and down. I can not delete the rules from shell either (cut'n'paste wise)
[EMAIL PROTECTED](/home/lundman/src/l4ip/src) sudo ipnat -l List of active MAP/Redirect filters: rdr fxp0 0.0.0.0/32 port 8000 -> 192.168.30.97 port 80 tcp round-robin rdr fxp0 0.0.0.0/32 port 8000 -> 192.168.30.97 port 80 tcp round-robin
Although, if I cut'n'paste one of those lines into ipnat the command, it lets me add one more, then refuses me with "File exists". So clearly the rules that I add from my code have something set I should not set.
[EMAIL PROTECTED](/home/lundman/src/l4ip/src) sudo ipnat -ld
List of active MAP/Redirect filters:
rdr fxp0 0.0.0.0/32 port 8000 -> 192.168.30.97 port 80 tcp round-robin
pmax 16415
space 1 use 0 hits 0 flags 0x101 proto 6 hv 0
ifp[0] 0xc1248040 ifp[1] 0xc1248040 apr 0x0
tqehead 0x0/0x0 comment 0x0
rdr fxp0 0.0.0.0/32 port 8000 -> 192.168.30.97 port 80 tcp round-robin
pmax 16415
space 1 use 0 hits 0 flags 0x101 proto 6 hv 0
ifp[0] 0xc1248040 ifp[1] 0xc1248040 apr 0x0
tqehead 0x0/0x0 comment 0x0Jorgen Lundman wrote:
Thanks, I was going through the kernel side code to see where it might fail, and saw that ioctl's took ipfobj. I just assumed I didn't understand the code and dismissed it. :)
It works great. The only issues I found was that IPFILTER_VERSION, and in_ifname #defines are not well, defined, anywhere in system include files.
The nexk thing I was going to look at was to add a patch for "sticky" to round-robin. But I noticed there is already a sticky flag defined? Is my work there already done?
Sincerely,
Lundy
diff for those that are interested:
108d107 < struct ipfobj obj; 113,121d111 < < // We wrap all ioctl() in ipfobj for future compatibility < memset(&obj, 0, sizeof(obj)); < obj.ipfo_rev = 4010300; // FIXME: find version < obj.ipfo_size = sizeof(l4_nat); < obj.ipfo_ptr = &l4_nat; < obj.ipfo_type = IPFOBJ_IPNAT; < < 161c151 < if (ioctl(nat_fd, SIOCADNAT, &obj) == -1) --- > if (ioctl(nat_fd, SIOCADNAT, &l4_nat) == -1)
Darren Reed wrote:
In IPFilter 4.1, most of the ioctl's that have structures have a wrapping structure - struct ipfobj - that is used to pass them in.
Have a look at samples/proxy.c (it incorrectly passes the wrong thing to the ioctl too.)
Darren
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
