On Thu, 15 Mar 2012 12:22:52 +0100 Mike Belopuhov <[email protected]> wrote: > On Thu, Mar 15, 2012 at 19:34 +0900, YASUOKA Masahiko wrote: >> On Thu, 15 Mar 2012 09:16:42 +0100 >> Alexander Bluhm <[email protected]> wrote: >> > On Wed, Mar 14, 2012 at 03:32:08PM +0900, YASUOKA Masahiko wrote: >> >> In ip_input(), there is a filter to disable all packets to 127.0.0.0/27. >> >> That filter drops a packet that was a transport-mode ESP packet and >> >> that has been redirected to 127.0.0.1 with pf `rdr-to' rule. >> >> >> >> Below diff will fix the filter not to drop such packets. >> >> >> >> ok? or comment? >> >> >> >> The problem was found by Alexis san. He are trying to configure npppd >> >> and isakmpd to listen on 127.0.0.1 and pf to redirect packets to local >> >> (carp) address with `rdr-to' rule. >> > >> > Does it work when you use divert-to instead of rdr-to? >> >> No, isakmpd can receive packets, but it sends a response with >> 127.0.0.1 as the source address. >> >> (tcpdump) >> 19:10:51.428149 126.188.179.157.500 > xxx.yyy.64.141.500: isakmp >> v1.0 exchange ID_PROT >> cookie: 22c454df787e0fd2->0000000000000000 msgid: 00000000 len: 300 >> 19:10:51.428792 127.0.0.1.500 > 126.188.179.157.500: isakmp v1.0 >> exchange ID_PROT >> cookie: 22c454df787e0fd2->3dc01659110fac07 msgid: 00000000 len: 180 >> >> (pf.conf) >> pass in log on $ext_ifs proto udp to xxx.yyy.64.141 port 500 \ >> divert-to 127.0.0.1 port 500 >> pass in log on $ext_ifs proto udp to xxx.yyy.64.141 port 4500 \ >> divert-to 127.0.0.1 port 4500 >> >> (isakmpd.conf) >> [General] >> Listen-on= 127.0.0.1 >> >> I thought adding a divert hack to isakmpd may fix this problem, but >> isakmpd won't be able to use xxx.yyy.64.141 as the source address >> unless it binds xxx.yyy.64.141. > > SO_BINDANY and divert-reply is there for such situations.
Yes. But in the original story, xxx.yyy.64.141 was a carp address, so we can bind it without SO_BINDANY. And I thought binding the address except 127.0.0.1 was not allowed in the original requirement, because if it is allowed we can listen it from the beginning. > but how does rdr-to fixes it? isakmpd uses 127.0.0.1 as the source address, then pf changes it to xxx.yyy.64.141. --yasuoka
