On Thu, 15 Mar 2012 09:16:42 +0100
Alexander Bluhm <[email protected]> wrote:
> On Wed, Mar 14, 2012 at 03:32:08PM +0900, YASUOKA Masahiko wrote:
>> In ip_input(), there is a filter to disable all packets to 127.0.0.0/27.
>> That filter drops a packet that was a transport-mode ESP packet and
>> that has been redirected to 127.0.0.1 with pf `rdr-to' rule.
>>
>> Below diff will fix the filter not to drop such packets.
>>
>> ok? or comment?
>>
>> The problem was found by Alexis san. He are trying to configure npppd
>> and isakmpd to listen on 127.0.0.1 and pf to redirect packets to local
>> (carp) address with `rdr-to' rule.
>
> Does it work when you use divert-to instead of rdr-to?
No, isakmpd can receive packets, but it sends a response with
127.0.0.1 as the source address.
(tcpdump)
19:10:51.428149 126.188.179.157.500 > xxx.yyy.64.141.500: isakmp
v1.0 exchange ID_PROT
cookie: 22c454df787e0fd2->0000000000000000 msgid: 00000000 len: 300
19:10:51.428792 127.0.0.1.500 > 126.188.179.157.500: isakmp v1.0
exchange ID_PROT
cookie: 22c454df787e0fd2->3dc01659110fac07 msgid: 00000000 len: 180
(pf.conf)
pass in log on $ext_ifs proto udp to xxx.yyy.64.141 port 500 \
divert-to 127.0.0.1 port 500
pass in log on $ext_ifs proto udp to xxx.yyy.64.141 port 4500 \
divert-to 127.0.0.1 port 4500
(isakmpd.conf)
[General]
Listen-on= 127.0.0.1
I thought adding a divert hack to isakmpd may fix this problem, but
isakmpd won't be able to use xxx.yyy.64.141 as the source address
unless it binds xxx.yyy.64.141.
--yasuoka
