Summer of Code 2005: improve libalias - part 2 of 2

With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)

1 files changed, 6 insertions, 0 deletions

diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c
index a58f96fe9040..d8285b541f9a 100644
--- a/sys/netinet/ip_fw_pfil.c
+++ b/sys/netinet/ip_fw_pfil.c
@@ -189,6 +189,9 @@ again:
 		if (!NG_IPFW_LOADED)
 			goto drop;
 		return ng_ipfw_input_p(m0, NG_IPFW_IN, &args, 0);
+		
+	case IP_FW_NAT:
+		goto again;		/* continue with packet */
 
 	default:
 		KASSERT(0, ("%s: unknown retval", __func__));
@@ -315,6 +318,9 @@ again:
 			goto drop;
 		return ng_ipfw_input_p(m0, NG_IPFW_OUT, &args, 0);
 
+	case IP_FW_NAT:
+		goto again;		/* continue with packet */
+		
 	default:
 		KASSERT(0, ("%s: unknown retval", __func__));
 	}