IP_BINDANY: return packets not accepted by kernel
Julian Elischer
julian at freebsd.org
Thu Mar 10 10:32:20 UTC 2011
On 3/9/11 11:04 AM, Rajkumar S wrote:
> Hello all,
>
> I am testing IP_BINDANY functionality with a small C program. I can
> bind to a foreign (non existing) address, and syn packets are being
> sent with the bound source IP address and port. Return (ACK) packets
> are reaching the host (I can see the SYN-ACK packet in tcpdump), but
> the third packet in TCP handshake is not getting generated. It looks
> like the second SYN-ACK is not getting accepted by the kernel.
>
> My test setup consists of 2 machines, one freebsd 8.2 where I am
> running my test program has an ip address of 192.168.3.83, and an echo
> server running in the second machine with ip address 192.168.3.18. The
> souce ip address of connection originating from my test program is
> 192.168.9.5 and echo server is having a route for 192.168.9.0/24 to
> 192.168.3.83.
>
> Since there is a route for 192.168.9.5 from 192.168.3.18 there is no
> need for any additional pf rules for redirecting and packets can be
> seen in tcpdump.
>
> Netstat gives the following output. The state remains SYN_SENT and the
> kernel is not able to "see" the SYN-ACK.
>
> tcp4 0 0 192.168.9.5.7 192.168.3.18.7 SYN_SENT
>
> tcpdump gives the following output (first 2 lines)
>
> 17:39:54.745332 00:40:f4:bd:3d:1c> 00:27:0e:26:d9:66, ethertype IPv4
> (0x0800), length 74: 192.168.9.5.7> 192.168.3.18.7: Flags [S], seq
> 587594188, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val
> 92954112 ecr 0], length 0
>
> 17:39:54.745446 00:27:0e:26:d9:66> 00:40:f4:bd:3d:1c, ethertype IPv4
> (0x0800), length 74: 192.168.3.18.7> 192.168.9.5.7: Flags [S.], seq
> 399460822, ack 587594189, win 5792, options [mss 1460,sackOK,TS val
> 4341497 ecr 92954112,nop,wscale 7], length 0
>
> arp -na (abbreviated)
> ? (192.168.3.83) at 00:40:f4:bd:3d:1c on re0 permanent [ethernet]
> ? (192.168.3.18) at 00:27:0e:26:d9:66 on re0 expires in 1133 seconds [ethernet]
>
> Am I missing some thing here? I am running all programs as root, so I
> do have the privileges. I guess there are no sysctrl to be set. Any
> help to get this working is much appreciated.
yes, you are missing the fact that the return packets will never be
accepted
unless you have an ipfw rule saying:
fwd localhost ip from any to any uid {uid of your process} in recv
{your interface}
the first layer of ip doesn't know about sockets and will reject
packets to non-local addresses.
however ipfw can override this and tell the IP stack to take it
because it identifies the matching socket.
"yes it's a kludge" but it works.
sorry if you don't use ipfw.. 'pf' MAY be able to do similar
but I dont' know.
> with regards,
>
> raj
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list