From owner-freebsd-net  Thu Dec 27 16:21: 5 2001
Delivered-To: freebsd-net@freebsd.org
Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197])
	by hub.freebsd.org (Postfix) with ESMTP id 110E937B416
	for <freebsd-net@FreeBSD.ORG>; Thu, 27 Dec 2001 16:20:59 -0800 (PST)
Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10])
	by ns1.nttmcl.com (Postfix) with ESMTP
	id B5846DE541; Thu, 27 Dec 2001 16:20:58 -0800 (PST)
Date: Thu, 27 Dec 2001 16:20:58 -0800 (PST)
From: Henry Su <henrysu@nttmcl.com>
To: Julian Elischer <julian@elischer.org>
Cc: freebsd-net@FreeBSD.ORG
Subject: RE: socket call in the kernel
In-Reply-To: <Pine.BSF.4.21.0112271057040.84622-100000@InterJet.elischer.org>
Message-ID: <Pine.BSI.4.05L.10112271613450.28832-100000@alicia.nttmcl.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org



**************
Henry Su     *
NTT MCL      *
**************

On Thu, 27 Dec 2001, Julian Elischer wrote:

> 
> 
> 
> 
> On Thu, 27 Dec 2001, Henry Su wrote:
> 
> > Thanks a lot Julian. Please let me know if u need more info.
> > 
> > 
> > My goal is using test2 as authentication server, when http request pass
> > through test2 box, test2 will redirect to an authentication url on itself.
> > 
> >  _________                   ___________________
> > |	    |crossover cable  |                  |
> > |test1    |---------------->|test2(ipfw,proxy) |----->router->Internet
> > |_________|                 |__________________|
>           X.1.1.3                             X.1.1.2
> 
> 
> > 
> > 
> > test2 has ipfw and a proxy server for redirection, it is configured as a
> > bridge, one interface has ip address, one interface does not, which test1 is
> > connected to.
> 
> Assume dc1 on the router side of test2
> and dc2 on the crossover side of test2

That's good one.

> is the router doing nat?
No.

> is X.x.x.x. a routable address?
Yes

> I presume that X.1.1.3 AND X.1.1.2 are on the same logical net.
> Are they both routable addresses?
> 
Yes

> firstly, bridging is a new factor. you didn't mention that before..
> I am not sure how bridging will interract with everything else.
> 
> What does netstat -aA show on test2? Is the server bound to an address?
> i.e. do you bind() the server to a particular address?
> if so which?
> 
> Why are you bridging?
> 

Because gateway needs ip on each interface, we do not want to do that. We
want only assign 1 ip on test2.


> do you want people on test1 to authenticate, or people coming in from the 
> internet? (you need to specify what you want to redirect..)
> 
people on test1. Assume test2 is access control server, test is a client
that want to get access.


> 
> > 
> > 
> > The rule for forwarding is:
> > 
> > #Forward no valid http packet to local authentication
> > ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80
> > 
> > 
> > 
> > For example, here's 2 cases, one works, one failed.
> > 
> > Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log,
> > you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel:
> > ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101
> > 129.219.10.10:80 in via dc2").
> > but the proxy server on test2 seems did not get the forwarded packet.
> > 
> > Worked case: from test1, "telnet test2 80", it just works. The proxy server
> > got the packet, and send redirection message to test1: "
> 
> I wonder if someone has broken fwd?
> if you do the following:
> on test2, telnet localhost 80
> and
> telnet www.freebsd.org 80
> 
> what happens?
> 


[16:14:38][root@test2:~]$ telnet localhost 80
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host
[16:14:41][root@test2:~]$ telnet www.freebsd.org 80
Trying 216.136.204.21...
Connected to freefall.freebsd.org.
Escape character is '^]'.
123
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
123 to /index.html not supported.<P>
Invalid method in request 123<P>
<HR>
<ADDRESS>Apache/1.3.x Gualala Server at www.freebsd.org Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.



> > 
> > My guess is:
> > 
> > The proxy socket server can only listen to packet's dst ip address that
> > matches its own ip address. The proxy server is written by myself, it's java
> > socket server, when it receive any packet at port 8800, it sends back some
> > http redirection
> > information.
> > 
> 
> No the address that the server will be matched against is the 
> address in the fwd rule, and not the address in the packet.
> 
> roughly it does:
> 
> tempaddr = address_from_packet
> if (ipfw matches a fwd rule)
> 	tempaddr = address_in_rule
> find socket that matches tempaddr.
> 
> It could be that the bridging is somehow confusing the forwarding..
> 


That's right. Does a socket server care about a packet's dst ip? If a
packet's dst ip is not matched, the proxy server will drop it?


Thanks.






> 
> > 
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
> > 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 
> 
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message