From owner-freebsd-hackers Wed Jan 29 15:35:11 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA29745 for hackers-outgoing; Wed, 29 Jan 1997 15:35:11 -0800 (PST) Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA29721 for ; Wed, 29 Jan 1997 15:34:55 -0800 (PST) Received: from awfulhak.demon.co.uk (localhost.coverform.lan [127.0.0.1]) by awfulhak.demon.co.uk (8.8.4/8.7.3) with ESMTP id XAA14485; Wed, 29 Jan 1997 23:30:52 GMT Message-Id: <199701292330.XAA14485@awfulhak.demon.co.uk> X-Mailer: exmh version 1.6.9 8/22/96 To: Archie Cobbs cc: terry@lambert.org (Terry Lambert), ari.suutari@ps.carel.fi, hackers@freebsd.org, cmott@srv.net Subject: Re: ipdivert & masqd In-reply-to: Your message of "Wed, 29 Jan 1997 12:16:41 PST." <199701292016.MAA24360@bubba.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Jan 1997 23:30:52 +0000 From: Brian Somers Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [.....] > > Actually, I think it's so the outbound packet doesn't get redivirted > > by that particular handler, but you *can* chain handlers. For instance, > > say I wanted to chain a cleanwall, a firewall, and a IP proxy server > > and they were all in seperate divert modules. > > Right! That is the purpose of this ip_divert_ignore hack -- for loop > avoidance. It allows you to send a packet back out via the divert socket > and simultaneously say "Don't divert *this* packet back into *this* socket". > > The theory was that this loop avoidance was working too well, and > seemed to be applying to packets other than the one that it was > supposed to. What I'm trying to prove to myself is that this can't > be happening. > > -Archie Not exactly - on my machine, there are two problems (3.0-current). The machine that's doing the masquerading is 10.0.1.254. 1. When I do a tcp setup from 10.0.1.254 to 10.0.1.1, the packet goes out ok, 10.0.1.1 receives it and replies (netstat shows ESTABLISHED). Masqd/natd receives the packet, fixes it and re-injects it.... then, all of a sudden, nothing happens. After a long wait, nothing continues to happen :( It's as if the ip_sum is wrong, but I don't believe that yet as it works ok when there are two divert sockets involved. 2. When a ping is sent from 10.0.1.1 to 10.0.1.254, the incoming icmp packet is picked up by masqd/natd, fondled and re-injected. That's *all* that masqd/natd sees. However, 10.0.1.1 gets an ICMP reply. Everything else works. -- Brian , Don't _EVER_ lose your sense of humour....