From owner-freebsd-hackers Sat Feb 1 00:43:59 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA10965 for hackers-outgoing; Sat, 1 Feb 1997 00:43:59 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA10960 for ; Sat, 1 Feb 1997 00:43:57 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id AAA13973; Sat, 1 Feb 1997 00:43:23 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma013969; Sat Feb 1 00:43:03 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id AAA06137; Sat, 1 Feb 1997 00:43:02 -0800 (PST) From: Archie Cobbs Message-Id: <199702010843.AAA06137@bubba.whistle.com> Subject: Re: ipdivert & masqd FIXED ! In-Reply-To: <199702010409.EAA04555@awfulhak.demon.co.uk> from Brian Somers at "Feb 1, 97 04:09:47 am" To: brian@awfulhak.demon.co.uk (Brian Somers) Date: Sat, 1 Feb 1997 00:43:01 -0800 (PST) Cc: archie@whistle.com, brian@utell.co.uk, terry@lambert.org, ari.suutari@ps.carel.fi, hackers@freebsd.org, cmott@srv.net X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Yes, ip_input() calls ip_output() indirectly when forwarding packets. > > You actually want to *not* zero ip_divert_ignore in this case in order > > to realize the intended semantics of the socket -- the loop avoidance > > is supposed to avoid all diversion back to the port, even if the packet > > passes through ipfw twice, on the way "in" and on the way "out". > > > > It turns out that this was the problem ! > > If 10.0.1.1 pings 10.0.1.254, ip_input() is called. This diverts to masqd > and then gets re-injected. The second time around, ip_input() ignores the > divert (correctly) but calls ip_output(). ip_output() incorrectly ignores > the divert socket - so the packet mangling doesn't get done ! > > I've altered things slightly so that ip_divert_ignore gets zero'd as soon > as it's been used in both ip_input() and ip_output(). Patches are available > on www.awfulhak.demon.co.uk. Also, ip_divert_ignore is set in ip_divert.c > irrespective of whether sin->sin_port is around.... I think this may be wrong, > (it works, but for the wrong reasons) - ICMPs break with the check left in ! This wasn't the original intent, but in retrospect it makes more sense -- your patch that zeros ip_divert_ignore after calling ip_fw_chk() looks good to me... -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com