From owner-freebsd-hackers Sat Feb 1 05:27:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA20575 for hackers-outgoing; Sat, 1 Feb 1997 05:27:47 -0800 (PST) Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA20570 for ; Sat, 1 Feb 1997 05:27:44 -0800 (PST) Received: from awfulhak.demon.co.uk (localhost.coverform.lan [127.0.0.1]) by awfulhak.demon.co.uk (8.8.4/8.7.3) with ESMTP id NAA01803; Sat, 1 Feb 1997 13:25:44 GMT Message-Id: <199702011325.NAA01803@awfulhak.demon.co.uk> X-Mailer: exmh version 1.6.9 8/22/96 To: Archie Cobbs cc: brian@utell.co.uk, terry@lambert.org, ari.suutari@ps.carel.fi, hackers@freebsd.org, cmott@srv.net, joerg_wunsch@uriah.heep.sax.de Subject: Re: ipdivert & masqd FIXED ! In-reply-to: Your message of "Sat, 01 Feb 1997 00:43:01 PST." <199702010843.AAA06137@bubba.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 01 Feb 1997 13:25:44 +0000 From: Brian Somers Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > Yes, ip_input() calls ip_output() indirectly when forwarding packets. > > > You actually want to *not* zero ip_divert_ignore in this case in order > > > to realize the intended semantics of the socket -- the loop avoidance > > > is supposed to avoid all diversion back to the port, even if the packet > > > passes through ipfw twice, on the way "in" and on the way "out". > > > > > > > It turns out that this was the problem ! > > > > If 10.0.1.1 pings 10.0.1.254, ip_input() is called. This diverts to masqd > > and then gets re-injected. The second time around, ip_input() ignores the > > divert (correctly) but calls ip_output(). ip_output() incorrectly ignores > > the divert socket - so the packet mangling doesn't get done ! > > > > I've altered things slightly so that ip_divert_ignore gets zero'd as soon > > as it's been used in both ip_input() and ip_output(). Patches are available > > on www.awfulhak.demon.co.uk. Also, ip_divert_ignore is set in ip_divert.c > > irrespective of whether sin->sin_port is around.... I think this may be wrong, > > (it works, but for the wrong reasons) - ICMPs break with the check left in ! > > This wasn't the original intent, but in retrospect it makes more > sense -- your patch that zeros ip_divert_ignore after calling > ip_fw_chk() looks good to me... I'll commit the changes then - anyone have a problem with them going into 2.2 too ? -- Brian , Don't _EVER_ lose your sense of humour....