From owner-freebsd-net@FreeBSD.ORG  Fri Feb 15 13:22:42 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 60B6D16A417
	for <freebsd-net@freebsd.org>; Fri, 15 Feb 2008 13:22:42 +0000 (UTC)
	(envelope-from Stephen.Clark@seclark.us)
Received: from smtpout10.prod.mesa1.secureserver.net
	(smtpout10-04.prod.mesa1.secureserver.net [64.202.165.238])
	by mx1.freebsd.org (Postfix) with SMTP id 16B3413C45A
	for <freebsd-net@freebsd.org>; Fri, 15 Feb 2008 13:22:41 +0000 (UTC)
	(envelope-from Stephen.Clark@seclark.us)
Received: (qmail 12074 invoked from network); 15 Feb 2008 13:22:41 -0000
Received: from unknown (24.144.77.185)
	by smtpout10-04.prod.mesa1.secureserver.net (64.202.165.238) with ESMTP;
	15 Feb 2008 13:22:41 -0000
Message-ID: <47B59190.3090403@seclark.us>
Date: Fri, 15 Feb 2008 08:20:16 -0500
From: Stephen Clark <Stephen.Clark@seclark.us>
User-Agent: Thunderbird 2.0.0.9 (X11/20071115)
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: 6.1 strange gre behavior
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Stephen.Clark@seclark.us
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2008 13:22:42 -0000

Hello List,

Has anybody ever tried to use either ipf or ipfw to redirect packets 
coming off of a gre interface?

When I try it I get the the packet repeated multiple times on the 
destination interface. I have tried it
with both ipf and ipfw/natd with the same results.

I have packets coming in the gre interface to a local ip address that I 
am trying to redirect to an ip that exist out on a network
off a different interface.

This is my ipnat redirect rule:
rdr gre3 65.162.182.41/32 port 3655 -> 172.18.26.8 port 3655 tcp/udp

This is from the source end of the gre tunnel:
sclark# hping -S -c 1 -p 3655 65.162.182.41
HPING 65.162.182.41 (vr0 65.162.182.41): S set, 40 headers + 0 data bytes

--- 65.162.182.41 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


This is a tcpdump on the destination of the gre tunnel:
[root@J301002 ~]# tcpdump -nlvi gre3
tcpdump: listening on gre3, link-type NULL (BSD loopback), capture size 
96 bytes
08:17:01.561045 IP (tos 0x0, ttl  64, id 35844, offset 0, flags [none], 
proto: TCP (6), length: 40) 192.168.11.1.2495 > 65.162.182.41.3655: S, 
cksum 0x62e2 (correct), 221136318:221136318(0) win 512
08:17:01.561498 IP (tos 0x0, ttl  64, id 29833, offset 0, flags [none], 
proto: ICMP (1), length: 68) 192.168.10.1 > 192.168.11.1: ICMP time 
exceeded in-transit, length 48
        IP (tos 0x0, ttl   1, id 35844, offset 0, flags [none], proto: 
TCP (6), length: 40) 192.168.11.1.2495 > 172.18.26.8.3655: S, cksum 
0x9493 (correct), 221136318:221136318(0) win 512

This is a tcpdump of the interface the packet comming from the gre 
tunnel is be redirected to - look how many packets there are !!!!!!!:
[root@J301002 ~]# tcpdump -nli rl0 host 172.18.26.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
08:17:01.561109 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561120 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561127 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561133 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561138 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561144 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561150 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561156 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561161 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561167 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561173 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561178 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561184 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561190 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561195 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561201 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561207 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561213 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561219 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561235 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561241 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561247 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561254 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561259 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561265 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561271 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561277 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561283 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561288 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561294 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561300 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561306 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561312 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561317 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561323 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561329 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561335 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561341 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561347 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561353 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561359 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561364 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561370 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561376 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561381 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561387 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561393 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561399 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561405 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561411 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561417 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561422 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561428 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561434 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561440 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561445 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561451 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561457 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561463 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561469 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561474 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561480 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512
08:17:01.561486 IP 192.168.11.1.2495 > 172.18.26.8.3655: S 
221136318:221136318(0) win 512

Any help or ideas would be greatly appreciated.

Regards,
Steve

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)