> This kind of matche sthe Linux requirements, also needing routing setup > to handle the diverted packets.
Indeed, some further googling led me to this thread: http://kerneltrap.org/mailarchive/openbsd-misc/2009/3/14/5157684/thread Although it dates from 2009, it seems it's still up to date. > Um, without this which are broken for DNS? just the bridge itself? Nope, only the client. i.e.: I can see in squid's debug output : comm_udp_sendto: Attempt to send UDP packet to ... In tcpdump I can see the reply's are also received. Obviously, using dig to do a DNS lookup also works. On the other hand, a 'nslookup' on the client fails with a timeout. > I think this is expected. > The non-diverted packets get bridged normally. But the diverted packets > can't be bridged in the strictest definition of the word. They need to > be passed to local machine socket and that means stepping up the stack > layers through routing decisions. The machine also needs IPs assigned to > receive ICMP / ICMPv6 control messages. Well, it certainly makes sense, but in that case I can't explain how relayd does it. In the initial setup, I had an IP assigned only on one interface, mainly for administrative purposes. relayd works closely with PF, so perhaps some trickery happens at that point. Marios
