From owner-freebsd-hackers Thu Jan 30 17:57:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA21059 for hackers-outgoing; Thu, 30 Jan 1997 17:57:55 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA21054 for ; Thu, 30 Jan 1997 17:57:53 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id RAA02652; Thu, 30 Jan 1997 17:57:16 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma002650; Thu Jan 30 17:56:50 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id RAA00251; Thu, 30 Jan 1997 17:56:49 -0800 (PST) From: Archie Cobbs Message-Id: <199701310156.RAA00251@bubba.whistle.com> Subject: Re: ipdivert & masqd In-Reply-To: <199701301057.KAA00746@ui-gate.utell.co.uk> from Brian Somers at "Jan 30, 97 10:53:04 am" To: brian@utell.co.uk (Brian Somers) Date: Thu, 30 Jan 1997 17:56:49 -0800 (PST) Cc: archie@whistle.com, terry@lambert.org, ari.suutari@ps.carel.fi, hackers@FreeBSD.org, cmott@srv.net, brian@awfulhak.demon.co.uk X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > > I've essentially got the following: > > > > > > ---------------- ---------------------- > > > | 10.0.10.2 |------------------| 10.0.10.1 | > > > ---------------- | | > > > | 10.0.1.254 (ed0) | > > > ---------------------- > > > | > > > | > > > ----------------- | > > > | 10.0.1.1 |--------------------------- > > > ----------------- > > > > > > with a mask of ffffff00 everywhere and the machine in the middle using > > > the following: > > > > > > ipfw add 100 divert 6668 all from any to any via ed0 > > > > A-HAH! :-) > > > > Could you try the following patch? > > > > Thanks, > > - -Archie > > > > [.....] > > I tried it, and I'm a bit confused about the results ! It > allows connections in both directions between 10.0.1.1 and > 10.0.1.254, but sending a packet from 10.0.10.2 to 10.0.1.1 > goes to 10.0.10.1, gets aliased as 10.0.1.254->10.0.1.1, > gets accepted and replied to by 10.0.1.1 and gets changed > from 10.0.1.1->10.0.1.254 to 10.0.1.1->10.0.10.3 by the > PacketAlias stuff and then disappears. I the 10.0.10.3 is a typo.. > Maybe the problem is with the forwarding code - where ip_input() > calls ip_output(). I didn't realize this happened ! Surely, we > should be remembering and zero'ing ip_divert_ignore before > calling ip_output here, and restoring it afterwards. I'll check this > when I get home this evening ! Yes, ip_input() calls ip_output() indirectly when forwarding packets. You actually want to *not* zero ip_divert_ignore in this case in order to realize the intended semantics of the socket -- the loop avoidance is supposed to avoid all diversion back to the port, even if the packet passes through ipfw twice, on the way "in" and on the way "out". -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com