On 9/03/2012 12:06 a.m., Marios Makassikis wrote:
This kind of matche sthe Linux requirements, also needing routing setup
to handle the diverted packets.
Indeed, some further googling led me to this thread:
http://kerneltrap.org/mailarchive/openbsd-misc/2009/3/14/5157684/thread
Although it dates from 2009, it seems it's still up to date.
Um, without this which are broken for DNS? just the bridge itself?
Nope, only the client. i.e.: I can see in squid's debug output :
comm_udp_sendto: Attempt to send UDP packet to ...
In tcpdump I can see the reply's are also received. Obviously, using dig
to do a DNS lookup also works. On the other hand, a 'nslookup' on the client
fails with a timeout.
I think this is expected.
The non-diverted packets get bridged normally. But the diverted packets
can't be bridged in the strictest definition of the word. They need to
be passed to local machine socket and that means stepping up the stack
layers through routing decisions. The machine also needs IPs assigned to
receive ICMP / ICMPv6 control messages.
Well, it certainly makes sense, but in that case I can't explain how relayd
does it. In the initial setup, I had an IP assigned only on one
interface, mainly
for administrative purposes.
relayd works closely with PF, so perhaps some trickery happens at that point.
Marios
Cheers. So the patch works for IPv6.
Are you able to add IPv4 tests to that probe function and see if it
works on IPv4-only ports?
I'm happy to accept the patch, but would ideally like something that
covers IPv4 as well.
Amos
