Date: Fri, 31 Aug 2007 13:33:53 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Norberto Meijome <freebsd@meijome.net> Cc: FreeBSD Net ML <freebsd-net@freebsd.org>, FreeBSD Questions ML <freebsd-questions@freebsd.org> Subject: Re: pf rdr + netsed : reinject loop... Message-ID: <20070831113353.GA30807@insomnia.benzedrine.cx> In-Reply-To: <20070831202729.7e4c0f7a@localhost> References: <20070831202729.7e4c0f7a@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 31, 2007 at 08:27:29PM +1000, Norberto Meijome wrote: > rdr on $int_if proto tcp from 172.16.82.81 to any -> 127.0.0.1 port 10101 > netsed tcp 10101 0 0 s/FOO/BAR > The traffic from XP gets redirected just fine to netsed, which replaces the bytes just fine. BUT the changed packets (the output of netsed) get reinjected somewhere so that the rdr hits them again, sending them back to netsed ad infinitum. ( yes, i managed to hit a load of 700+ without anything ever leaving BSD ...quite cool) I'm pretty sure the endless loop you describe does not pass through pf, except for the first iteration. In the first iteration, pf replaces the destination address with 127.0.0.1, and the packet goes to netsed. netsed changes the payload, but leaves the destination address (127.0.0.1 now). It sends the packet out, and since the destination address is 127.0.0.1, it sends it to itself. Hence the loop, which does not involve pf any further (i.e. there's no 'redirecting again' or such, AFAICT). > rdr on $int_if proto tcp from 172.16.82.81 to O.P.Q.R -> 127.0.0.1 port 10101 > netsed tcp 10101 O.P.Q.R 0 s/FOO/BAR > > How do I modify this setup so that netsed packets aren't caught again by pf's rdr and sent back into netsed ? I'm happy to try other tools / setups... Two approaches are possible: a) You modify netsed so it will query pf about the original destination address (O.P.Q.R), and re-insert that before sending out its modified packet. The DIOCNATLOOK ioctl(2) call can be used for that, see pf(4) for details and e.g. the squid source (ports) for how it's used. b) Instead of replacing the destination address in pf with rdr, try leaving it as it is, but use route-to (lo0) to get the packet routed to the loopback interface. This would require netsed to listen on INADDR_ANY (or use a raw socket, I haven't checked its source code). Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070831113353.GA30807>