From owner-freebsd-net@FreeBSD.ORG Thu Mar 10 10:32:20 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB950106566B for ; Thu, 10 Mar 2011 10:32:19 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id B7C998FC0A for ; Thu, 10 Mar 2011 10:32:19 +0000 (UTC) Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p2AAWG5S047630 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 10 Mar 2011 02:32:18 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4D78A8B3.6010901@freebsd.org> Date: Thu, 10 Mar 2011 02:32:19 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Rajkumar S References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: IP_BINDANY: return packets not accepted by kernel X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 10:32:20 -0000 On 3/9/11 11:04 AM, Rajkumar S wrote: > Hello all, > > I am testing IP_BINDANY functionality with a small C program. I can > bind to a foreign (non existing) address, and syn packets are being > sent with the bound source IP address and port. Return (ACK) packets > are reaching the host (I can see the SYN-ACK packet in tcpdump), but > the third packet in TCP handshake is not getting generated. It looks > like the second SYN-ACK is not getting accepted by the kernel. > > My test setup consists of 2 machines, one freebsd 8.2 where I am > running my test program has an ip address of 192.168.3.83, and an echo > server running in the second machine with ip address 192.168.3.18. The > souce ip address of connection originating from my test program is > 192.168.9.5 and echo server is having a route for 192.168.9.0/24 to > 192.168.3.83. > > Since there is a route for 192.168.9.5 from 192.168.3.18 there is no > need for any additional pf rules for redirecting and packets can be > seen in tcpdump. > > Netstat gives the following output. The state remains SYN_SENT and the > kernel is not able to "see" the SYN-ACK. > > tcp4 0 0 192.168.9.5.7 192.168.3.18.7 SYN_SENT > > tcpdump gives the following output (first 2 lines) > > 17:39:54.745332 00:40:f4:bd:3d:1c> 00:27:0e:26:d9:66, ethertype IPv4 > (0x0800), length 74: 192.168.9.5.7> 192.168.3.18.7: Flags [S], seq > 587594188, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val > 92954112 ecr 0], length 0 > > 17:39:54.745446 00:27:0e:26:d9:66> 00:40:f4:bd:3d:1c, ethertype IPv4 > (0x0800), length 74: 192.168.3.18.7> 192.168.9.5.7: Flags [S.], seq > 399460822, ack 587594189, win 5792, options [mss 1460,sackOK,TS val > 4341497 ecr 92954112,nop,wscale 7], length 0 > > arp -na (abbreviated) > ? (192.168.3.83) at 00:40:f4:bd:3d:1c on re0 permanent [ethernet] > ? (192.168.3.18) at 00:27:0e:26:d9:66 on re0 expires in 1133 seconds [ethernet] > > Am I missing some thing here? I am running all programs as root, so I > do have the privileges. I guess there are no sysctrl to be set. Any > help to get this working is much appreciated. yes, you are missing the fact that the return packets will never be accepted unless you have an ipfw rule saying: fwd localhost ip from any to any uid {uid of your process} in recv {your interface} the first layer of ip doesn't know about sockets and will reject packets to non-local addresses. however ipfw can override this and tell the IP stack to take it because it identifies the matching socket. "yes it's a kludge" but it works. sorry if you don't use ipfw.. 'pf' MAY be able to do similar but I dont' know. > with regards, > > raj > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >