From owner-freebsd-hackers Fri Jan 31 20:15:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA02976 for hackers-outgoing; Fri, 31 Jan 1997 20:15:55 -0800 (PST) Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA02971 for ; Fri, 31 Jan 1997 20:15:50 -0800 (PST) Received: from awfulhak.demon.co.uk (localhost.coverform.lan [127.0.0.1]) by awfulhak.demon.co.uk (8.8.4/8.7.3) with ESMTP id EAA04555; Sat, 1 Feb 1997 04:09:48 GMT Message-Id: <199702010409.EAA04555@awfulhak.demon.co.uk> X-Mailer: exmh version 1.6.9 8/22/96 To: Archie Cobbs cc: brian@utell.co.uk (Brian Somers), terry@lambert.org, ari.suutari@ps.carel.fi, hackers@freebsd.org, cmott@srv.net Subject: Re: ipdivert & masqd FIXED ! In-reply-to: Your message of "Thu, 30 Jan 1997 17:56:49 PST." <199701310156.RAA00251@bubba.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 01 Feb 1997 04:09:47 +0000 From: Brian Somers Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > I've essentially got the following: > > > > > > > > ---------------- ---------------------- > > > > | 10.0.10.2 |------------------| 10.0.10.1 | > > > > ---------------- | | > > > > | 10.0.1.254 (ed0) | > > > > ---------------------- > > > > | > > > > | > > > > ----------------- | > > > > | 10.0.1.1 |--------------------------- > > > > ----------------- [.....] > > Maybe the problem is with the forwarding code - where ip_input() > > calls ip_output(). I didn't realize this happened ! Surely, we > > should be remembering and zero'ing ip_divert_ignore before > > calling ip_output here, and restoring it afterwards. I'll check this > > when I get home this evening ! > > Yes, ip_input() calls ip_output() indirectly when forwarding packets. > You actually want to *not* zero ip_divert_ignore in this case in order > to realize the intended semantics of the socket -- the loop avoidance > is supposed to avoid all diversion back to the port, even if the packet > passes through ipfw twice, on the way "in" and on the way "out". > It turns out that this was the problem ! If 10.0.1.1 pings 10.0.1.254, ip_input() is called. This diverts to masqd and then gets re-injected. The second time around, ip_input() ignores the divert (correctly) but calls ip_output(). ip_output() incorrectly ignores the divert socket - so the packet mangling doesn't get done ! I've altered things slightly so that ip_divert_ignore gets zero'd as soon as it's been used in both ip_input() and ip_output(). Patches are available on www.awfulhak.demon.co.uk. Also, ip_divert_ignore is set in ip_divert.c irrespective of whether sin->sin_port is around.... I think this may be wrong, (it works, but for the wrong reasons) - ICMPs break with the check left in ! I'm not sure why, but this has fixed the other problem too - I had a bug in my test program, so maybe your suggested patch from a few days ago worked too - sorry if this is the case. Anyway, can you have a look at things and see if you want them commited - or see if you want me committed ;) There's a version of masqd on www.awfulhak.demon.co.uk too - natd-1.1 is "on the verge" I believe and it's much more functional than masqd, so I suspect natd will live and masqd will die (RIP). Cheers. -- Brian , Don't _EVER_ lose your sense of humour....