Tue, May 11, 2004 at 12:02:59, gul wrote about "[uanog] Re: ipfw q.":
А разве пакеты, прошедшие через natd, попадут под это правило? Они ведь AFAIU локально сгенерированными получаются. Раутинг пересчитывается для них наново, а вот признак форварда и входной интерфейс сохраняются в учёте. Hmm... А как мне сгенерить пакет и указать для него source iface? Как это делает natd? Я думал, что там через raw socket пакеты формируются, но это ведь layer3, и там source iface указать негде. Или все сложнее, чем просто один пакет уходит по divert на natd с концами, а другой формируется от natd как бы заново?
man divert: Diverted packets may be read unaltered via read(2), recv(2), or recvfrom(2). In the latter case, the address returned will have its port set to some tag supplied by the packet diverter, (usually the ipfw rule number) and the IP address set to the (first) address of the interface on which the packet was received (if the packet was incoming) or INADDR_ANY (if the packet was outgoing). The interface name (if defined for the packet) will be placed in the 8 bytes following the address, if it fits. Writing to a divert socket is similar to writing to a raw IP socket; the packet is injected ``as is'' into the normal kernel IP packet processing and minimal error checking is done. Packets are written as either incom- ing or outgoing: if write(2) or send(2) is used to deliver the packet, or if sendto(2) is used with a destination IP address of INADDR_ANY, then the packet is treated as if it were outgoing, i.e., destined for a non- local address. Otherwise, the packet is assumed to be incoming and full packet routing is done. In the latter case, the IP address specified must match the address of some local interface, or an interface name must be found after the IP address. If an interface name is found, that interface will be used and the value of the IP address will be ignored (other than the fact that it is not INADDR_ANY). This is to indicate on which interface the packet ``arrived''. Normally, packets read as incoming should be written as incoming; simi- larly for outgoing packets. When reading and then writing back packets, passing the same socket address supplied by recvfrom(2) unmodified to sendto(2) simplifies things (see below). -netch- =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message