> This kind of matche sthe Linux requirements, also needing routing setup
> to handle the diverted packets.
Indeed, some further googling led me to this thread:
http://kerneltrap.org/mailarchive/openbsd-misc/2009/3/14/5157684/thread
Although it dates from 2009, it seems it's still up to date.
> Um, without this which are broken for DNS? just the bridge itself?
Nope, only the client. i.e.: I can see in squid's debug output :
comm_udp_sendto: Attempt to send UDP packet to ...
In tcpdump I can see the reply's are also received. Obviously, using dig
to do a DNS lookup also works. On the other hand, a 'nslookup' on the client
fails with a timeout.
> I think this is expected.
> The non-diverted packets get bridged normally. But the diverted packets
> can't be bridged in the strictest definition of the word. They need to
> be passed to local machine socket and that means stepping up the stack
> layers through routing decisions. The machine also needs IPs assigned to
> receive ICMP / ICMPv6 control messages.
Well, it certainly makes sense, but in that case I can't explain how relayd
does it. In the initial setup, I had an IP assigned only on one
interface, mainly
for administrative purposes.
relayd works closely with PF, so perhaps some trickery happens at that point.
Marios
Received on Thu Mar 08 2012 - 11:06:16 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 08 2012 - 12:00:06 MST