From owner-freebsd-net@FreeBSD.ORG  Thu Mar 10 10:32:20 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EB950106566B
	for <freebsd-net@freebsd.org>; Thu, 10 Mar 2011 10:32:19 +0000 (UTC)
	(envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
	by mx1.freebsd.org (Postfix) with ESMTP id B7C998FC0A
	for <freebsd-net@freebsd.org>; Thu, 10 Mar 2011 10:32:19 +0000 (UTC)
Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137])
	(authenticated bits=0)
	by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p2AAWG5S047630
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Thu, 10 Mar 2011 02:32:18 -0800 (PST)
	(envelope-from julian@freebsd.org)
Message-ID: <4D78A8B3.6010901@freebsd.org>
Date: Thu, 10 Mar 2011 02:32:19 -0800
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US;
	rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Rajkumar S <rajkumars@gmail.com>
References: <AANLkTinhqnNYJWTLzbXab+DqsqnXqFsP6Jex96-PN5wn@mail.gmail.com>
In-Reply-To: <AANLkTinhqnNYJWTLzbXab+DqsqnXqFsP6Jex96-PN5wn@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
Subject: Re: IP_BINDANY: return packets not accepted by kernel
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 10:32:20 -0000

On 3/9/11 11:04 AM, Rajkumar S wrote:
> Hello all,
>
> I am testing IP_BINDANY functionality with a small C program. I can
> bind to a foreign (non existing) address, and syn packets are being
> sent with the bound source IP address and port. Return (ACK) packets
> are reaching the host (I can see the SYN-ACK packet in tcpdump), but
> the third packet in TCP handshake is not getting generated. It looks
> like the second SYN-ACK is not getting accepted by the kernel.
>
> My test setup consists of 2 machines, one freebsd 8.2 where I am
> running my test program has an ip address of 192.168.3.83, and an echo
> server running in the second machine with ip address 192.168.3.18. The
> souce ip address of connection originating from my test program is
> 192.168.9.5 and echo server is having a route for 192.168.9.0/24 to
> 192.168.3.83.
>
> Since there is a route for 192.168.9.5 from  192.168.3.18 there is no
> need for any additional pf rules for redirecting and packets can be
> seen in tcpdump.
>
> Netstat gives the following output. The state remains SYN_SENT and the
> kernel is not able to "see" the SYN-ACK.
>
> tcp4       0      0 192.168.9.5.7          192.168.3.18.7         SYN_SENT
>
> tcpdump gives the following output (first 2 lines)
>
> 17:39:54.745332 00:40:f4:bd:3d:1c>  00:27:0e:26:d9:66, ethertype IPv4
> (0x0800), length 74: 192.168.9.5.7>  192.168.3.18.7: Flags [S], seq
> 587594188, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val
> 92954112 ecr 0], length 0
>
> 17:39:54.745446 00:27:0e:26:d9:66>  00:40:f4:bd:3d:1c, ethertype IPv4
> (0x0800), length 74: 192.168.3.18.7>  192.168.9.5.7: Flags [S.], seq
> 399460822, ack 587594189, win 5792, options [mss 1460,sackOK,TS val
> 4341497 ecr 92954112,nop,wscale 7], length 0
>
> arp -na (abbreviated)
> ? (192.168.3.83) at 00:40:f4:bd:3d:1c on re0 permanent [ethernet]
> ? (192.168.3.18) at 00:27:0e:26:d9:66 on re0 expires in 1133 seconds [ethernet]
>
> Am I missing some thing here? I am running all programs as root, so I
> do have the privileges. I guess there are no sysctrl to be set. Any
> help to get this working is much appreciated.

yes, you are missing the fact that the return packets will never be 
accepted
unless you have an ipfw rule saying:

fwd localhost ip from any to any uid {uid of your process} in recv 
{your interface}

the first layer of ip doesn't know about sockets and will reject 
packets to non-local addresses.
however ipfw can override this and tell the IP stack to take it 
because it identifies the matching socket.

"yes it's a kludge" but it works.

sorry if you don't use ipfw.. 'pf' MAY be able to do similar
but I dont' know.

> with regards,
>
> raj
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>