On Wed, Feb 13, 2002 at 11:03:47AM +0200, Ruslan Ermilov wrote:
> Hi!
>
> Please test with and without this patch.
Hmm. I'm having a little trouble testing this on -CURRENT. As a first
step, I just deleted all of the 127/8 blocking code in ip_output.c,
and tried to do a rdr to 127.0.0.1.
First, make sure the stops on outging 127/8 are really gone,
bubbles# ping 127.0.0.2
PING 127.0.0.2 (127.0.0.2): 56 data bytes
^C
--- 127.0.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
bubbles#
And I see,
bubbles# tcpdump 'net 127.0.0.0/8'
tcpdump: listening on ep0
15:46:29.954112 bubbles > 127.0.0.2: icmp: echo request
15:46:30.964695 bubbles > 127.0.0.2: icmp: echo request
^C
46 packets received by filter
0 packets dropped by kernel
bubbles#
OK, all great. So I fire up ipnat(1),
bubbles# cat ipnat.rules
# $Id$
#
# Testing IPFilter interaction with loopback
rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp
bubbles# ipnat -C -f ipnat.rules
1 entries flushed from NAT list
bubbles# ipnat -l
List of active MAP/Redirect filters:
rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp
List of active sessions:
bubbles# ipfstat -io
pass out from any to any
pass in from any to any
bubbles#
And I start a listener on 2323,
$ nc -l -p 2323
And from another host,
$ telnet bubbles 23
Trying 192.168.64.20...
telnet: connect to address 192.168.64.20: Operation timed out
telnet: Unable to connect to remote host
That is, it doesn't work. However,
bubbles# ipnat -l
List of active MAP/Redirect filters:
rdr ep0 192.168.64.20/32 port 23 -> 127.0.0.1 port 2323 tcp
List of active sessions:
RDR 127.0.0.1 2323 <- -> 192.168.64.20 23 [192.168.64.60 1099]
ipnat(1) is working. Where are the packets going? I couldn't find
any being blocked or in the netstat statistics. Now, to see if this
works at all, I change the ipnat.rules,
bubbles# cat ipnat.rules
# $Id$
#
# Testing IPFilter interaction with loopback
rdr ep0 192.168.64.20/32 port 23 -> 192.168.64.20 port 2323 tcp
bubbles# ipnat -C -f ipnat.rules
1 entries flushed from NAT list
bubbles#
Now I try,
$ telnet bubbles 23
Trying 192.168.64.20...
Connected to bubbles.cjclark.org.
Escape character is '^]'.
And it works fine,
bubbles# ipnat -l
List of active MAP/Redirect filters:
rdr ep0 192.168.64.20/32 port 23 -> 192.168.64.20 port 2323 tcp
List of active sessions:
RDR 192.168.64.20 2323 <- -> 192.168.64.20 23 [192.168.64.60 1100]
RDR 127.0.0.1 2323 <- -> 192.168.64.20 23 [192.168.64.60 1099]
bubbles#
So at least in -CURRENT, did this 127.0.0.1 redirect doesn't seem to
work even if you remove the code from ip_output.c completely.
I'll give -STABLE a try, but these IPFilter people will have the same
problem when 5.0-RELEASE comes around if my tests are accurate.
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
