From owner-freebsd-hackers@FreeBSD.ORG Thu Aug 21 08:47:25 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6F95106567A for ; Thu, 21 Aug 2008 08:47:25 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from koef.zs64.net (koef.zs64.net [212.12.50.230]) by mx1.freebsd.org (Postfix) with ESMTP id 840458FC17 for ; Thu, 21 Aug 2008 08:47:25 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from localhost by koef.zs64.net (8.14.3/8.14.3) with ESMTP id m7L8RYpV082627 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 21 Aug 2008 10:27:43 +0200 (CEST) (envelope-from stb@lassitu.de) (authenticated as stb) Message-Id: <56884315-CCF6-4795-9644-BE904DB32597@lassitu.de> From: Stefan Bethke To: Javier Ubillos In-Reply-To: <1219253269.9118.17.camel@dib> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v928.1) Date: Thu, 21 Aug 2008 10:27:29 +0200 References: <1219253269.9118.17.camel@dib> X-Mailer: Apple Mail (2.928.1) Cc: freebsd-hackers@freebsd.org Subject: Re: Override default ICMP (and other protocols) default replies. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 08:47:26 -0000 Am 20.08.2008 um 19:27 schrieb Javier Ubillos: > Hi freebsd-hackers. > (Sorry for cross posting, but I got no reply when posting to > freebsd-questions) > > I'm implementing a NAT (1 ip - 1 ip) like router. > > I have chosen to use pcaplib to pick up the packets. I have an > implementation which picks up the packets, inspects them, rewrites the > destination/source ip-addresses and sends them out on the repective > interface. > > The problem I'm facing however is that my interfaces are answering to > e.g. icmp-echo (ping) automatically, and I don't know how to turn this > behaviour off. > > What I want to happen is that if A pings C, my router B in between > should simply forward the packets w/o any automatic reactions. > > A --> B --> C > > So that if e.g. C is down, no echo-reply is sent back (or if C is up, > that C is actually sending the echo-reply. > > Does any one know how to turn off the automatic replies (ICMP and > whatever else I haven't forseen yet) or does any one know where I can > find out more about the issue? bpf, which libpcap uses, gives you a copy of the received packet, so the kernel will process it. Typically, if you want to process packets before the host sees them, you'd use ipfw(4) and a divert(4) socket, like natd(8) does. This allows you to modify any packet entering the system, modify it, and (if appropriate) reinject it into the stack. You can also configure your own tun(4) interface to get packets out of the kernel and process them, which might be ideal if you want to process all traffic for an IP. And finally, unless you have really weird requirements, ipfw or pf rules will likely work without any special programming. HTH, Stefan -- Stefan Bethke Fon +49 170 346 0140