Date: Wed, 13 Feb 2002 16:08:08 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Ruslan Ermilov <ru@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: rdr 127.0.0.1 and blocking 127/8 in ip_output() Message-ID: <20020213160808.A33240@blossom.cjclark.org> In-Reply-To: <20020213110347.C46245@sunbay.com>; from ru@FreeBSD.org on Wed, Feb 13, 2002 at 11:03:47AM %2B0200 References: <20020213110347.C46245@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 13, 2002 at 11:03:47AM +0200, Ruslan Ermilov wrote:
> Hi!
>
> Please test with and without this patch.
Hmm. I'm having a little trouble testing this on -CURRENT. As a first
step, I just deleted all of the 127/8 blocking code in ip_output.c,
and tried to do a rdr to 127.0.0.1.
First, make sure the stops on outging 127/8 are really gone,
bubbles# ping 127.0.0.2
PING 127.0.0.2 (127.0.0.2): 56 data bytes
^C
--- 127.0.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
bubbles#
And I see,
bubbles# tcpdump 'net 127.0.0.0/8'
tcpdump: listening on ep0
15:46:29.954112 bubbles > 127.0.0.2: icmp: echo request
15:46:30.964695 bubbles > 127.0.0.2: icmp: echo request
^C
46 packets received by filter
0 packets dropped by kernel
bubbles#
OK, all great. So I fire up ipnat(1),
bubbles# cat ipnat.rules
# $Id$
#
# Testing IPFilter interaction with loopback
rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp
bubbles# ipnat -C -f ipnat.rules
1 entries flushed from NAT list
bubbles# ipnat -l
List of active MAP/Redirect filters:
rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp
List of active sessions:
bubbles# ipfstat -io
pass out from any to any
pass in from any to any
bubbles#
And I start a listener on 2323,
$ nc -l -p 2323
And from another host,
$ telnet bubbles 23
Trying 192.168.64.20...
telnet: connect to address 192.168.64.20: Operation timed out
telnet: Unable to connect to remote host
That is, it doesn't work. However,
bubbles# ipnat -l
List of active MAP/Redirect filters:
rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp
List of active sessions:
RDR 127.0.0.1 2323 <- -> 192.168.64.20 23 [192.168.64.60 1099]
ipnat(1) is working. Where are the packets going? I couldn't find
any being blocked or in the netstat statistics. Now, to see if this
works at all, I change the ipnat.rules,
bubbles# cat ipnat.rules
# $Id$
#
# Testing IPFilter interaction with loopback
rdr ep0 192.168.64.20/32 port 23 -> 192.168.64.20 port 2323 tcp
bubbles# ipnat -C -f ipnat.rules
1 entries flushed from NAT list
bubbles#
Now I try,
$ telnet bubbles 23
Trying 192.168.64.20...
Connected to bubbles.cjclark.org.
Escape character is '^]'.
And it works fine,
bubbles# ipnat -l
List of active MAP/Redirect filters:
rdr ep0 192.168.64.20/32 port 23 -> 192.168.64.20 port 2323 tcp
List of active sessions:
RDR 192.168.64.20 2323 <- -> 192.168.64.20 23 [192.168.64.60 1100]
RDR 127.0.0.1 2323 <- -> 192.168.64.20 23 [192.168.64.60 1099]
bubbles#
So at least in -CURRENT, did this 127.0.0.1 redirect doesn't seem to
work even if you remove the code from ip_output.c completely.
I'll give -STABLE a try, but these IPFilter people will have the same
problem when 5.0-RELEASE comes around if my tests are accurate.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020213160808.A33240>