> Am 10.02.2022 um 09:55 schrieb Stuart Henderson <stu.li...@spacehopper.org>: > > On 2022-02-08, Mike Fischer <fischer+o...@lavielle.com> wrote: >> Hi! >> >> I have PF rules redirecting packets to an IP on one interface (rdomain 1) to >> the IP of another interface (rdomain 0): >> >> pass in log on rdomain 1 inet proto tcp to $ipv4b port 80 rdr-to $ipv4a port >> 8080 rtable 0 >> pass in log on rdomain 1 inet6 proto tcp to $ipv6b port 80 rdr-to $ipv6a >> port 8080 rtable 0 >> >> These rules work for IPv4 but initially not for IPv6. (That problem is now >> solved.) I was trying to figure out why and started using tcpdump(8). >> >> em0 has the IPs: ipv4a and ipv6a. >> em1 is in rdomain 1 and has the IPs: ipv4b and ipv6b. >> Both are connected to the same LAN. >> >> httpd(8) is configured to listen on ipv4a:80, ipv6a:80 with one (virtual) >> server and on ipv4a:8080, ipv6a:8080 with another, each serving a very >> simple index.html file that shows which server is responding. >> >> To debug I started: >> # tcpdump -n -e -ttt -l -i em0 'port 80 or 8080‘ >> >> # tcpdump -n -e -ttt -l -i em1 'port 80 or 8080‘ >> >> (Both in separate terminal windows at the same time.) >> >> Now from a second machine I access the web server: >> $ curl --url 'http://<ipv4a>‘ >> Works fine, I see traffic in the tcpdump(8) for em0. >> >> $ curl --url 'http://<ipv4b>‘ >> Works fine, I see traffic in the tcpdump(8) for em1 but not for em0. >> >> $ curl --url 'http://[<ipv6a>]‘ >> Works fine, I see traffic in the tcpdump(8) for em0. >> >> $ curl --url 'http://[<ipv6b>]‘ >> Timeout! I see traffic in the tcpdump(8) for em1 but not for em0. >> This was the one I was ultimately trying to debug but as the trace on the >> IPv4 version doesn’t work as expected I was momentarily at a loss. >> I have since solved the actual problem by setting: >> # sysctl net.inet6.ip6.forwarding=1 >> But I still don’t see the redirected traffic in the tcpdump(8) for em0. >> >> >> I don’t understand the second and fourth results. Why does the tcpdump(8) >> for em0 not show the redirected packets? >> >> I am likely missing something obvious here. How can I capture the redirected >> packets? > > The redirection to an address on the local machine is just internal to > the machine; those would only show a second time in tcpdump if they were > being sent to another machine.
Ok, thanks. So there is no way to trace rdr-to (other than possibly doing low level kernel debugging)? > Normally if you have two addresses on the same lan you'd configure them > as aliases on the one interface, this seems a bit of a non-standard > config. Yes I know. The reason for trying this was that having two inet6 autoconf interfaces on the same LAN has issues. And alias was not an option due to dynamic IPv6 prefixes. (See this thread: https://marc.info/?l=openbsd-misc&m=164412170710420&w=2 and a suggestion by Brian Brombacher in https://marc.info/?l=openbsd-misc&m=164418424619191&w=2 that I wanted to give a try.) Non-standard or not, it works ;-) Though the headers seen by the web server show the redirected IP and port and not the ones originally asked for by the client. Not surprising but something the site developer needs to be aware of. And HTTP was only an easy to use example. For other services this limitation may have more severe consequences. Thanks! Mike
