Subject: Re: ipfilter policy-routing problem
To: None <current-users@netbsd.org>
From: Mihai Chelaru <kefren@netbsd.ro>
List: current-users
Date: 05/28/2002 12:45:17
Hello again,

Can anyone confirm this ? Should I send-pr ?

Thanks,
Mihai

On Sunday 26 May 2002 13:17, Mihai Chelaru wrote:
> Hello,
>
> I have 3 machines configured like this:
>
> A: rtk0: 192.168.0.1/24
>    vmnet1: 172.16.212.1/24
> B: rtk0: 192.168.0.2/24
> C: vmnet1: 172.16.212.2/24
>
> Both, B & C have the default route in A
>
> I wanted to do some policy routing using IPF so i did the following:
>
> B:
> # ifconfig lo0 100.100.100.100 netmask 255.0.0.0 alias
> # route add 100.0.0.0 -netmask 255.0.0.0 100.100.100.100
>
> A:
> I added the following line in the ipf config:
> block in quick on vmnet1 to rtk0:192.168.0.2 from 172.16.212.2/32 to
> 100.0.0.0/8
>
> C:
> # ping 100.100.100.100
> PING 100.100.100.100 (100.100.100.100): 56 data bytes
> 64 bytes from 100.100.100.100: icmp_seq=58 ttl=254 time=0.713 ms
> ^C^C
> ----100.100.100.100 PING Statistics----
> 98 packets transmitted, 1 packets received, 99.0% packet loss
> round-trip min/avg/max/stddev = 0.713/0.713/0.713/0.000 ms
>
> meanwhile i tcpdump-ed all three interfaces (vmnet on C, rtk on both A & B)
> and i so that ipfilter is doing the correct thing. it routes the packets
> from C to B. On B i saw that the packets were reaching the interface. But
> nothing else. Only echo request, no echo replies. I saw a single echo reply
> dropped on that interface that reached back C.
>
> I removed the filters on A and did:
> # route add 100.0.0.0 -netmask 255.0.0.0 192.168.0.2
> and everything worked fine.
>
> So, what could be the problem ? Why B is responding differently to the
> kernel routing interface generated packets and why is responding
> differently on the ipfilter generated packets ? Why is responding correctly
> to 1% of packets ?
>
> Thank you,
> Mihai