From owner-freebsd-net Thu Dec 27 16:21: 5 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 110E937B416 for ; Thu, 27 Dec 2001 16:20:59 -0800 (PST) Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) by ns1.nttmcl.com (Postfix) with ESMTP id B5846DE541; Thu, 27 Dec 2001 16:20:58 -0800 (PST) Date: Thu, 27 Dec 2001 16:20:58 -0800 (PST) From: Henry Su To: Julian Elischer Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ************** Henry Su * NTT MCL * ************** On Thu, 27 Dec 2001, Julian Elischer wrote: > > > > > On Thu, 27 Dec 2001, Henry Su wrote: > > > Thanks a lot Julian. Please let me know if u need more info. > > > > > > My goal is using test2 as authentication server, when http request pass > > through test2 box, test2 will redirect to an authentication url on itself. > > > > _________ ___________________ > > | |crossover cable | | > > |test1 |---------------->|test2(ipfw,proxy) |----->router->Internet > > |_________| |__________________| > X.1.1.3 X.1.1.2 > > > > > > > > test2 has ipfw and a proxy server for redirection, it is configured as a > > bridge, one interface has ip address, one interface does not, which test1 is > > connected to. > > Assume dc1 on the router side of test2 > and dc2 on the crossover side of test2 That's good one. > is the router doing nat? No. > is X.x.x.x. a routable address? Yes > I presume that X.1.1.3 AND X.1.1.2 are on the same logical net. > Are they both routable addresses? > Yes > firstly, bridging is a new factor. you didn't mention that before.. > I am not sure how bridging will interract with everything else. > > What does netstat -aA show on test2? Is the server bound to an address? > i.e. do you bind() the server to a particular address? > if so which? > > Why are you bridging? > Because gateway needs ip on each interface, we do not want to do that. We want only assign 1 ip on test2. > do you want people on test1 to authenticate, or people coming in from the > internet? (you need to specify what you want to redirect..) > people on test1. Assume test2 is access control server, test is a client that want to get access. > > > > > > > The rule for forwarding is: > > > > #Forward no valid http packet to local authentication > > ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80 > > > > > > > > For example, here's 2 cases, one works, one failed. > > > > Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log, > > you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel: > > ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101 > > 129.219.10.10:80 in via dc2"). > > but the proxy server on test2 seems did not get the forwarded packet. > > > > Worked case: from test1, "telnet test2 80", it just works. The proxy server > > got the packet, and send redirection message to test1: " > > I wonder if someone has broken fwd? > if you do the following: > on test2, telnet localhost 80 > and > telnet www.freebsd.org 80 > > what happens? > [16:14:38][root@test2:~]$ telnet localhost 80 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host [16:14:41][root@test2:~]$ telnet www.freebsd.org 80 Trying 216.136.204.21... Connected to freefall.freebsd.org. Escape character is '^]'. 123 501 Method Not Implemented

Method Not Implemented

123 to /index.html not supported.

Invalid method in request 123


Apache/1.3.x Gualala Server at www.freebsd.org Port 80
Connection closed by foreign host. > > > > My guess is: > > > > The proxy socket server can only listen to packet's dst ip address that > > matches its own ip address. The proxy server is written by myself, it's java > > socket server, when it receive any packet at port 8800, it sends back some > > http redirection > > information. > > > > No the address that the server will be matched against is the > address in the fwd rule, and not the address in the packet. > > roughly it does: > > tempaddr = address_from_packet > if (ipfw matches a fwd rule) > tempaddr = address_in_rule > find socket that matches tempaddr. > > It could be that the bridging is somehow confusing the forwarding.. > That's right. Does a socket server care about a packet's dst ip? If a packet's dst ip is not matched, the proxy server will drop it? Thanks. > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message