From owner-freebsd-ipfw@FreeBSD.ORG Fri May 16 12:46:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D583A37B404 for ; Fri, 16 May 2003 12:46:53 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 316AB43FAF for ; Fri, 16 May 2003 12:46:53 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by attbi.com (rwcrmhc52) with ESMTP id <2003051619465005200jbq3de>; Fri, 16 May 2003 19:46:50 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h4GJkoki098383; Fri, 16 May 2003 12:46:50 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h4GJkmIV098382; Fri, 16 May 2003 12:46:48 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 16 May 2003 12:46:48 -0700 From: "Crist J. Clark" To: andy@sorted.org Message-ID: <20030516194648.GD98044@blossom.cjclark.org> References: <19025.217.154.240.18.1052823481.squirrel@radix.sorted.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <19025.217.154.240.18.1052823481.squirrel@radix.sorted.org> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: Q: ipfw & divert sockets (2nd try) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2003 19:46:54 -0000 On Tue, May 13, 2003 at 11:58:01AM +0100, andy@sorted.org wrote: > Apologies if this is not the place for this question - I worked through > the list of mailing lists and this seemed the appropriate spot (and > apologies if you already have this mail from another address - reverse-DNS > problems). > > I've been working to use FreeBSD4.8-STABLE/IPFW2 and a small user-land App > linked to it via a divert socket, to encapsulate all outgoing data on a > given interface into a UDP packet stream (and visa versa) - effectively an > IP-over-UDP tunnel. > > The send-side of this seems to work fine - I can send a datagram, > encapsulate it, and watch it travel over the network. Furthermore, the > receive side seems to correctly deencapsulate the packet without raising > an error. However, the deencapsulated packet, which is identical to its > 'pre-encapsulated' form does not seem to make it out of the diverted > socket, and appears to be dropped. > > Is what I'm doing possible within the IPFW2 framework, or am I trying to > do something foolish? > Are inbound packets handled differently to outbound ones? I wrote some code to do this too. Are you checking the return value of the sendto(2) that writes the packet back to the divert(4) socket? It is returning the correct size? We'll probably need to at least see the firewall rules and likely some of the source code too to be able to help. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org