From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 16 23:02:09 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3C9591DE; Thu, 16 Jan 2014 23:02:09 +0000 (UTC) Received: from mail-oa0-x234.google.com (mail-oa0-x234.google.com [IPv6:2607:f8b0:4003:c02::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E96941285; Thu, 16 Jan 2014 23:02:08 +0000 (UTC) Received: by mail-oa0-f52.google.com with SMTP id o6so3750494oag.11 for ; Thu, 16 Jan 2014 15:02:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=MvKng5108Bv1LRJBBj7iB6P/9O/4+hqVdBkylMoJgTI=; b=C5NCfJ1WgvutR1kvbLqShkt0/wO4ewLEwawbWiIdXWoejwoDPG/Kc/TGgdL8eBGTPs yUCUUxnxXy1WpNXvyUi8x4UjpKHoMUgZvWjWnnEs6D+cYuOpa7DcakVxSqbbSO6wUBxy RvFDHD7Z0IaONiLEhw793z+H7KfOHynMeYO2b6kGygD2wQA/l0in8qWTJE8wfj6q4rNG 6bu66usPxuH7dtpGBPwffvh81Xw+FjfsCJwboC77ZnOOSyNAWA5/0JIbl/F6V83GHCic /FcTtrDaeW8aTbEKLXlUB9VVLLcyi6gRpnHzoExZEVawdpchS6BM0w1F7vUnFlK2H8UZ lSFQ== X-Received: by 10.60.16.230 with SMTP id j6mr9401374oed.47.1389913328063; Thu, 16 Jan 2014 15:02:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.76.166.165 with HTTP; Thu, 16 Jan 2014 15:01:48 -0800 (PST) In-Reply-To: <201401161120.s0GBK19O090357@freefall.freebsd.org> References: <201401161120.s0GBK19O090357@freefall.freebsd.org> From: n j Date: Fri, 17 Jan 2014 00:01:48 +0100 Message-ID: Subject: Re: kern/122963: [ipfw] tcpdump does not show packets redirected by 'ipfw fwd' on proper interface To: "Alexander V. Chernikov" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 23:02:09 -0000 Ok, it's been a while since I posted that feedback to the PR, so I don't really remember all the details, but I probably get what you're saying. Let me go over my original problem: A program ("MUX") listens on port 443 on the server. It receives requests from clients and forwards those packets to another program ("SERVER") listening on same server port 8443. MUX is using transparent forwarding so the SERVER receives packets with the original address and port intact. Obviously, when SERVER makes a reply, it sends the reply directly to the original client due to source addresses having been transparently forwarded. To fix that, an 'ipfw fwd' rule catches these outgoing packets and redirects the packets back to MUX. This setup works fine. The problem arose while I was debugging some issues with the programs and that was when I noticed that in the tcpdump I only see the following traffic: (tcpdump on public interface) CLIENT:PORT --> MUX:443 MUX:443 --> CLIENT:PORT and (tcpdump on loopback) MUX (posing as CLIENT:PORT) --> SERVER:8443 but there was no traffic going back from SERVER:8443 to CLIENT:PORT (actually ending in MUX due to 'ipfw fwd' rule). As I said above, I probably understand why it's not there. I can see fwd rule in ipfw logs showing the packet going from SERVER:8443 to CLIENT:PORT out via public interface, but it actually doesn't reach the wire and tcpdump because fwd rule snatches it before it can go out and forwards it to MUX so that MUX can send it out. However, I still feel as if there should be a trace of that packet somewhere in the tcpdump as the packet after all leaves one userland program (SERVER) and enters another userland program (MUX). It'd certainly help to see all packets (i.e. both connections and all 4 directions) when debugging problems with a setup like the one I described. Am I missing something important here? Regards, -- Nino On Thu, Jan 16, 2014 at 12:20 PM, Alexander V. Chernikov < melifaro@freebsd.org> wrote: > The following reply was made to PR kern/122963; it has been noted by GNATS. > > From: "Alexander V. Chernikov" > To: bug-followup@FreeBSD.org, zuborg@advancedhosters.com > Cc: > Subject: Re: kern/122963: [ipfw] tcpdump does not show packets redirected > by 'ipfw fwd' on proper interface > Date: Thu, 16 Jan 2014 15:09:46 +0400 > > This is not a bug. > > You're adding fwd rule which forwards outgoing packet back to the local > system (since fwd address is em0 address). > That's why you're not seeing packet on the wire. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >