Date: Thu, 10 Mar 2011 02:32:19 -0800 From: Julian Elischer <julian@freebsd.org> To: Rajkumar S <rajkumars@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: IP_BINDANY: return packets not accepted by kernel Message-ID: <4D78A8B3.6010901@freebsd.org> In-Reply-To: <AANLkTinhqnNYJWTLzbXab%2BDqsqnXqFsP6Jex96-PN5wn@mail.gmail.com> References: <AANLkTinhqnNYJWTLzbXab%2BDqsqnXqFsP6Jex96-PN5wn@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/9/11 11:04 AM, Rajkumar S wrote: > Hello all, > > I am testing IP_BINDANY functionality with a small C program. I can > bind to a foreign (non existing) address, and syn packets are being > sent with the bound source IP address and port. Return (ACK) packets > are reaching the host (I can see the SYN-ACK packet in tcpdump), but > the third packet in TCP handshake is not getting generated. It looks > like the second SYN-ACK is not getting accepted by the kernel. > > My test setup consists of 2 machines, one freebsd 8.2 where I am > running my test program has an ip address of 192.168.3.83, and an echo > server running in the second machine with ip address 192.168.3.18. The > souce ip address of connection originating from my test program is > 192.168.9.5 and echo server is having a route for 192.168.9.0/24 to > 192.168.3.83. > > Since there is a route for 192.168.9.5 from 192.168.3.18 there is no > need for any additional pf rules for redirecting and packets can be > seen in tcpdump. > > Netstat gives the following output. The state remains SYN_SENT and the > kernel is not able to "see" the SYN-ACK. > > tcp4 0 0 192.168.9.5.7 192.168.3.18.7 SYN_SENT > > tcpdump gives the following output (first 2 lines) > > 17:39:54.745332 00:40:f4:bd:3d:1c> 00:27:0e:26:d9:66, ethertype IPv4 > (0x0800), length 74: 192.168.9.5.7> 192.168.3.18.7: Flags [S], seq > 587594188, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val > 92954112 ecr 0], length 0 > > 17:39:54.745446 00:27:0e:26:d9:66> 00:40:f4:bd:3d:1c, ethertype IPv4 > (0x0800), length 74: 192.168.3.18.7> 192.168.9.5.7: Flags [S.], seq > 399460822, ack 587594189, win 5792, options [mss 1460,sackOK,TS val > 4341497 ecr 92954112,nop,wscale 7], length 0 > > arp -na (abbreviated) > ? (192.168.3.83) at 00:40:f4:bd:3d:1c on re0 permanent [ethernet] > ? (192.168.3.18) at 00:27:0e:26:d9:66 on re0 expires in 1133 seconds [ethernet] > > Am I missing some thing here? I am running all programs as root, so I > do have the privileges. I guess there are no sysctrl to be set. Any > help to get this working is much appreciated. yes, you are missing the fact that the return packets will never be accepted unless you have an ipfw rule saying: fwd localhost ip from any to any uid {uid of your process} in recv {your interface} the first layer of ip doesn't know about sockets and will reject packets to non-local addresses. however ipfw can override this and tell the IP stack to take it because it identifies the matching socket. "yes it's a kludge" but it works. sorry if you don't use ipfw.. 'pf' MAY be able to do similar but I dont' know. > with regards, > > raj > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D78A8B3.6010901>