Date: Fri, 17 Jan 2014 00:01:48 +0100 From: n j <nino80@gmail.com> To: "Alexander V. Chernikov" <melifaro@freebsd.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/122963: [ipfw] tcpdump does not show packets redirected by 'ipfw fwd' on proper interface Message-ID: <CALf6cgb9NFcEYRQOc3VKkAudGAwzRy_XVTOoTpyEx4GSv8vaBg@mail.gmail.com> In-Reply-To: <201401161120.s0GBK19O090357@freefall.freebsd.org> References: <201401161120.s0GBK19O090357@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, it's been a while since I posted that feedback to the PR, so I don't really remember all the details, but I probably get what you're saying. Let me go over my original problem: A program ("MUX") listens on port 443 on the server. It receives requests from clients and forwards those packets to another program ("SERVER") listening on same server port 8443. MUX is using transparent forwarding so the SERVER receives packets with the original address and port intact. Obviously, when SERVER makes a reply, it sends the reply directly to the original client due to source addresses having been transparently forwarded. To fix that, an 'ipfw fwd' rule catches these outgoing packets and redirects the packets back to MUX. This setup works fine. The problem arose while I was debugging some issues with the programs and that was when I noticed that in the tcpdump I only see the following traffic: (tcpdump on public interface) CLIENT:PORT --> MUX:443 MUX:443 --> CLIENT:PORT and (tcpdump on loopback) MUX (posing as CLIENT:PORT) --> SERVER:8443 but there was no traffic going back from SERVER:8443 to CLIENT:PORT (actually ending in MUX due to 'ipfw fwd' rule). As I said above, I probably understand why it's not there. I can see fwd rule in ipfw logs showing the packet going from SERVER:8443 to CLIENT:PORT out via public interface, but it actually doesn't reach the wire and tcpdump because fwd rule snatches it before it can go out and forwards it to MUX so that MUX can send it out. However, I still feel as if there should be a trace of that packet somewhere in the tcpdump as the packet after all leaves one userland program (SERVER) and enters another userland program (MUX). It'd certainly help to see all packets (i.e. both connections and all 4 directions) when debugging problems with a setup like the one I described. Am I missing something important here? Regards, -- Nino On Thu, Jan 16, 2014 at 12:20 PM, Alexander V. Chernikov < melifaro@freebsd.org> wrote: > The following reply was made to PR kern/122963; it has been noted by GNATS. > > From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> > To: bug-followup@FreeBSD.org, zuborg@advancedhosters.com > Cc: > Subject: Re: kern/122963: [ipfw] tcpdump does not show packets redirected > by 'ipfw fwd' on proper interface > Date: Thu, 16 Jan 2014 15:09:46 +0400 > > This is not a bug. > > You're adding fwd rule which forwards outgoing packet back to the local > system (since fwd address is em0 address). > That's why you're not seeing packet on the wire. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALf6cgb9NFcEYRQOc3VKkAudGAwzRy_XVTOoTpyEx4GSv8vaBg>