Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Jan 1997 17:56:49 -0800 (PST)
From:      Archie Cobbs <archie@whistle.com>
To:        brian@utell.co.uk (Brian Somers)
Cc:        archie@whistle.com, terry@lambert.org, ari.suutari@ps.carel.fi, hackers@FreeBSD.org, cmott@srv.net, brian@awfulhak.demon.co.uk
Subject:   Re: ipdivert & masqd
Message-ID:  <199701310156.RAA00251@bubba.whistle.com>
In-Reply-To: <199701301057.KAA00746@ui-gate.utell.co.uk> from Brian Somers at "Jan 30, 97 10:53:04 am"
next in thread | previous in thread | raw e-mail | index | archive | help 

> > > I've essentially got the following:
> > > 
> > >     ----------------                   ----------------------
> > >     |   10.0.10.2   |------------------|   10.0.10.1        |
> > >     ----------------                   |                    |
> > >                                        |   10.0.1.254 (ed0) |
> > >                                        ----------------------
> > >                                                |
> > >                                                |
> > >     -----------------                          |
> > >     |   10.0.1.1    |---------------------------
> > >     -----------------
> > > 
> > > with a mask of ffffff00 everywhere and the machine in the middle using
> > > the following:
> > > 
> > >     ipfw add 100 divert 6668 all from any to any via ed0
> > 
> > A-HAH! :-)
> > 
> > Could you try the following patch?
> > 
> > Thanks,
> > - -Archie
> > 
> > [.....]
> 
> I tried it, and I'm a bit confused about the results !  It
> allows connections in both directions between 10.0.1.1 and
> 10.0.1.254, but sending a packet from 10.0.10.2 to 10.0.1.1
> goes to 10.0.10.1, gets aliased as 10.0.1.254->10.0.1.1,
> gets accepted and replied to by 10.0.1.1 and gets changed
> from 10.0.1.1->10.0.1.254 to 10.0.1.1->10.0.10.3 by the
> PacketAlias stuff and then disappears.

I the 10.0.10.3 is a typo..

> Maybe the problem is with the forwarding code - where ip_input()
> calls ip_output().  I didn't realize this happened !  Surely, we
> should be remembering and zero'ing ip_divert_ignore before
> calling ip_output here, and restoring it afterwards.  I'll check this
> when I get home this evening !

Yes, ip_input() calls ip_output() indirectly when forwarding packets.
You actually want to *not* zero ip_divert_ignore in this case in order
to realize the intended semantics of the socket -- the loop avoidance
is supposed to avoid all diversion back to the port, even if the packet
passes through ipfw twice, on the way "in" and on the way "out".

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701310156.RAA00251>