On 9/03/2012 12:06 a.m., Marios Makassikis wrote:
>> This kind of matche sthe Linux requirements, also needing routing setup
>> to handle the diverted packets.
> Indeed, some further googling led me to this thread:
> http://kerneltrap.org/mailarchive/openbsd-misc/2009/3/14/5157684/thread
>
> Although it dates from 2009, it seems it's still up to date.
>
>> Um, without this which are broken for DNS? just the bridge itself?
> Nope, only the client. i.e.: I can see in squid's debug output :
> comm_udp_sendto: Attempt to send UDP packet to ...
>
> In tcpdump I can see the reply's are also received. Obviously, using dig
> to do a DNS lookup also works. On the other hand, a 'nslookup' on the client
> fails with a timeout.
>
>> I think this is expected.
>> The non-diverted packets get bridged normally. But the diverted packets
>> can't be bridged in the strictest definition of the word. They need to
>> be passed to local machine socket and that means stepping up the stack
>> layers through routing decisions. The machine also needs IPs assigned to
>> receive ICMP / ICMPv6 control messages.
> Well, it certainly makes sense, but in that case I can't explain how relayd
> does it. In the initial setup, I had an IP assigned only on one
> interface, mainly
> for administrative purposes.
> relayd works closely with PF, so perhaps some trickery happens at that point.
>
>
>
> Marios
Cheers. So the patch works for IPv6.
Are you able to add IPv4 tests to that probe function and see if it
works on IPv4-only ports?
I'm happy to accept the patch, but would ideally like something that
covers IPv4 as well.
Amos
Received on Thu Mar 08 2012 - 13:00:16 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 08 2012 - 12:00:06 MST