On Mon, Feb 04, 2002 at 08:04:20AM -0500, Mike Tancsa wrote: > Hi, > Will this be backed out, or do you know of a work around to this > issue? > The ip_input() part in question was committed to RELENG_4 in revision 1.130.2.20 by a different committer, about a year ago. I think the original poster should fix his rulesets instead. I don't believe that transparent proxying (using the IPFIREWALL_FORWARD) was broken by this change, as it doesn't bind sockets to loopback addresses.
> At 07:17 PM 2/3/2002 -0700, M. Warner Losh wrote: > >In message: <[EMAIL PROTECTED]> > > Michael Nottebrock <[EMAIL PROTECTED]> writes: > >: Greg Prosser wrote: > >: > >: > FWIW, my problem was a change in the ip stack. > >: > > >: > We now drop 127.* packets on the floor if they come in across an interface > >: > that is not lo0. Since ipnat redirect rules happen below the ip stack, > >: > packets which are rewritten by ipnat to use a 127.* address get dropped on > >: > the floor when they enter the stack. ipnat records the redirect as having > >: > worked, but the packet just disappears silently. This totally breaks > >: > my transparent proxy, as I forward the connections to 127.0.0.1 via ipnat. > >: > >: > >: Ugh. This probably means that transparent squid proxying will also break > >: and _that_ scares me (no touchy cvsup for my -STABLE box). You might > >: want to contact the committer about this. > > > >It is certainly looking like this change will be backed out. It is > >well intended, but breaks too many things. :-( > > > >Warner -- Ruslan Ermilov Sysadmin and DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
