Date: Sat, 01 Feb 1997 04:09:47 +0000 From: Brian Somers <brian@awfulhak.demon.co.uk> To: Archie Cobbs <archie@whistle.com> Cc: brian@utell.co.uk (Brian Somers), terry@lambert.org, ari.suutari@ps.carel.fi, hackers@freebsd.org, cmott@srv.net Subject: Re: ipdivert & masqd FIXED ! Message-ID: <199702010409.EAA04555@awfulhak.demon.co.uk> In-Reply-To: Your message of "Thu, 30 Jan 1997 17:56:49 PST." <199701310156.RAA00251@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > I've essentially got the following:
> > > >
> > > > ---------------- ----------------------
> > > > | 10.0.10.2 |------------------| 10.0.10.1 |
> > > > ---------------- | |
> > > > | 10.0.1.254 (ed0) |
> > > > ----------------------
> > > > |
> > > > |
> > > > ----------------- |
> > > > | 10.0.1.1 |---------------------------
> > > > -----------------
[.....]
> > Maybe the problem is with the forwarding code - where ip_input()
> > calls ip_output(). I didn't realize this happened ! Surely, we
> > should be remembering and zero'ing ip_divert_ignore before
> > calling ip_output here, and restoring it afterwards. I'll check this
> > when I get home this evening !
>
> Yes, ip_input() calls ip_output() indirectly when forwarding packets.
> You actually want to *not* zero ip_divert_ignore in this case in order
> to realize the intended semantics of the socket -- the loop avoidance
> is supposed to avoid all diversion back to the port, even if the packet
> passes through ipfw twice, on the way "in" and on the way "out".
>
It turns out that this was the problem !
If 10.0.1.1 pings 10.0.1.254, ip_input() is called. This diverts to masqd
and then gets re-injected. The second time around, ip_input() ignores the
divert (correctly) but calls ip_output(). ip_output() incorrectly ignores
the divert socket - so the packet mangling doesn't get done !
I've altered things slightly so that ip_divert_ignore gets zero'd as soon
as it's been used in both ip_input() and ip_output(). Patches are available
on www.awfulhak.demon.co.uk. Also, ip_divert_ignore is set in ip_divert.c
irrespective of whether sin->sin_port is around.... I think this may be wrong,
(it works, but for the wrong reasons) - ICMPs break with the check left in !
I'm not sure why, but this has fixed the other problem too - I had a bug in
my test program, so maybe your suggested patch from a few days ago worked
too - sorry if this is the case.
Anyway, can you have a look at things and see if you want them commited -
or see if you want me committed ;) There's a version of masqd on
www.awfulhak.demon.co.uk too - natd-1.1 is "on the verge" I believe and
it's much more functional than masqd, so I suspect natd will live and
masqd will die (RIP).
Cheers.
--
Brian <brian@awfulhak.demon.co.uk>, <brian@freebsd.org>
<http://www.awfulhak.demon.co.uk/>;
Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702010409.EAA04555>