relayd redirection not changing dst-mac (bridge),should it?

Tue, 26 Oct 2010 13:59:35 -0700 

Hi,
i'm new here so please excuse if this is the wrong list or so.
I do have a problem with getting my relayd to work on an OpenBSD 4.7
bridge thats using pf as a firewall. My configuration is the following:

Internet <--> em2 <--> bridge (pf/relayd) <--> em1 <--> (two
testservers)

Here's the relevant part of relayd.conf i want to debug:

table <test> { $commhost1 $commhost2 }
table <test2> { $commhost2 } 

redirect test {
        listen on $commhost1 port 33333 interface em2
        tag RELAYD
        forward to <test2> check tcp
}

As you can see in below tcpdump the dst-mac does not change with the
redirection. So the packet gets routed to the wrong switch port.

First inside if, then outside (lines truncated, sry):

22:38_r...@backdoor:/etc# tcpdump -e -i em1 port 33333                          
                                                                                
                
tcpdump: listening on em1, link-type EN10MB
22:38:49.909273 00:19:a9:93:c5:80 00:15:17:0e:83:c9 ip 74:
pD9587F1A.dip.t-dialin.net.51864 > comm2.33333:
S 1827691053:1827691053(0) win 5840 <mss 1452,sackOK,timestamp 339616
0,nop,wscale 7>
22:38:52.919782 00:19:a9:93:c5:80 00:15:17:0e:83:c9 ip 74:
pD9587F1A.dip.t-dialin.net.51864 > comm2.33333:
S 1827691053:1827691053(0) win 5840 <mss 1452,sackOK,timestamp 339917
0,nop,wscale 7>
^C
2584 packets received by filter
0 packets dropped by kernel
22:39_r...@backdoor:/etc# tcpdump -e -i em2 port 33333
tcpdump: listening on em2, link-type EN10MB
22:39:53.753698 00:19:a9:93:c5:80 00:15:17:0e:83:c9 ip 74:
pD9587F1A.dip.t-dialin.net.51866 > comm.33333:
S 2830743421:2830743421(0) win 5840 <mss 1452,sackOK,timestamp 345999
0,nop,wscale 7> (DF)
22:39:56.754475 00:19:a9:93:c5:80 00:15:17:0e:83:c9 ip 74:
pD9587F1A.dip.t-dialin.net.51866 > comm.33333:
S 2830743421:2830743421(0) win 5840 <mss 1452,sackOK,timestamp 346300
0,nop,wscale 7> (DF)
^C
1679 packets received by filter
0 packets dropped by kernel

What am i doing wrong? Why is the dst-mac not changing? If you need more
information please tell. Below is the pf rule that gets generated by
relayd. I will try some "match in on em2 xxx rdr-to other.ip" type rules
later and tell if they work.

Thanks,
Leon

pf rules created by relayd:

# pfctl -a "relayd/test" -s r
pass in quick on em2 inet proto tcp from any to COMMHOST1'sIP port =
33333 flags S/SA keep state (tcp.established 600) tag RELAYD rdr-to
<test> port 33333 round-robin

With the followin in the Table <test>:

# pfctl -a "relayd/test" -t test -T show
   130.149.58.168

Reply via email to