|
Ji Dong
09/17/2009 5:03 AM
post38135
|
I am trying to config the Packet filter to redirect all the UDP packet come to the perticular IP address spcesfied port
ot another IP address another port.
For example, I want :
all the UDP packet to en0 IP address 192.168.1.1 port 60000
redirect to
IP address 192.168.3.255 port 50000
(basically change a unicast to broad cast)
what I have done is:
1. first "mount -Ttcpip lsm-pf-v4.so"
2. edit /etc/pf.conf to:
ext_if="en0"
rdr pass on $ext_if inet proto udp from any to 192.168.1.1 port 60000 -> 169.254.3.255 port 50000
3. when I run: "pfctl -f /etc/pf.conf -vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"
it feed back as:
No ALTQ support in kernel
ALTQ related functions disabled
Loaded 345 passive OS fingerprints
ext_if = "tsec0"
@0 rdr pass on en0 inet proto udp from any to 192.168.1.1 port = 60000 -> 169.254.3.255 port 50000
After that
I start wireshark & another software purely send out UDP packet
after I send a udp message to 192.168.1.1 port 60000, the wirehark captrue that ICMP the destination port is unreachable
.
am I missing anything? I think this should be straight away:(
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/17/2009 1:37 PM
post38197
|
Re: Packet filter questions
Hi Ji,
From a high level, AFAIU, the translated UDP packets will be delivered
to the stack and processed as incoming again.
If you wanted the redirected packets to be sent out on a wire, then you
should make sure your IP forwarding flag is on. If forwarding is on,
then I'd expect the packet to be attempted to be delivered locally (i.e.
see if destination matches an address assigned to the interface) or be
forwarded. If forwarding is off, then I'd expect the packet to be
attempted locally only.
However, you're translating to a destination address under the prefix
169.254.0.0/16 which is reserved as link-local, see
http://iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
Link-local packets should stay link-local, so setting up forwarding of
that isn't really ok.
A node that receives the redirected UDP packet will try to match it
against its open UDP sockets. If there are no matching sockets, then you
should expect to see the the port unreachable ICMP error that you are
seeing.
I suggest you check the UDP stats and ICMP stats to see what is
happening in the local stack. And (if forwarding was what you wanted)
that you check forwarding stats to see if there are any unroutable
packets dropped. And if you did expect a matching socket to receive the
packet, then check what opened sockets you have using netstat.
Hope this helps!
/P
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/17/2009 2:00 PM
post38198
|
Re: Packet filter questions
i.e. in your rule:
> rdr pass on $ext_if inet proto udp from any to 192.168.1.1 port 60000 -> 169.254.3.255 port 50000
169.254.3.255 is technically not a broadcast because it is out of a /16, so 169.254.255.255 would be its broadcast.
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/18/2009 4:00 AM
post38247
|
Re: Packet filter questions
> i.e. in your rule:
> > rdr pass on $ext_if inet proto udp from any to 192.168.1.1 port 60000 -> 169
> .254.3.255 port 50000
>
> 169.254.3.255 is technically not a broadcast because it is out of a /16, so
> 169.254.255.255 would be its broadcast.
Hi Patrik :
I have forced to configure the IP to 169.254.3.1/24, see the result of ifconfig
# ifconfig tsec1
tsec1: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
capabilities rx=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
capabilities tx=0
enabled=0
address: 00:20:ce:e0:00:31
media: Ethernet none
inet 169.254.1.15 netmask 0xffffff00 broadcast 169.254.1.255
So I guess the broadcast 169.254.1.255
as I understand(may be mistake), the broadcast address is depend on how you subneting, however, if use a old protocol,
RIPv1 for example, it will use the default netmask, but if use the later version, should be fine.
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/18/2009 10:38 AM
post38301
|
Re: Packet filter questions
Ji Dong wrote:
>> i.e. in your rule:
>>
>>> rdr pass on $ext_if inet proto udp from any to 192.168.1.1 port 60000 -> 169
>>>
>> .254.3.255 port 50000
>>
>> 169.254.3.255 is technically not a broadcast because it is out of a /16, so
>> 169.254.255.255 would be its broadcast.
>>
>
>
> Hi Patrik :
> I have forced to configure the IP to 169.254.3.1/24, see the result of ifconfig
> # ifconfig tsec1
> tsec1: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
> capabilities rx=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
> capabilities tx=0
> enabled=0
> address: 00:20:ce:e0:00:31
> media: Ethernet none
> inet 169.254.1.15 netmask 0xffffff00 broadcast 169.254.1.255
>
> So I guess the broadcast 169.254.1.255
>
Yes, the subnetting you've used will cause 169.254.1.255 to become a
broadcast address.
> as I understand(may be mistake), the broadcast address is depend on how you subneting, however, if use a old protocol,
RIPv1 for example, it will use the default netmask, but if use the later version, should be fine.
Not sure whether, or even if, there should be a difference depending on
RIP version. I don't believe there should.
Back to your original question however, you may have to turn on IP
directed broadcast if you want this packet to get forwarded. See sysctl
for net.inet.ip.directed-broadcast. I believe this is turned off by
default, a DoS security issue, hence probably why you don't see it come
out the wire again after the pf translation.
Hope this helps!
/P
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/24/2009 7:57 AM
post38630
|
Re: Packet filter questions
> Ji Dong wrote:
> >> i.e. in your rule:
> >>
> >>> rdr pass on $ext_if inet proto udp from any to 192.168.1.1 port 60000 ->
> 169
> >>>
> >> .254.3.255 port 50000
> >>
> >> 169.254.3.255 is technically not a broadcast because it is out of a /16, so
>
> >> 169.254.255.255 would be its broadcast.
> >>
> >
> >
> > Hi Patrik :
> > I have forced to configure the IP to 169.254.3.1/24, see the result of
> ifconfig
> > # ifconfig tsec1
> > tsec1: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
> > capabilities rx=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
> > capabilities tx=0
> > enabled=0
> > address: 00:20:ce:e0:00:31
> > media: Ethernet none
> > inet 169.254.1.15 netmask 0xffffff00 broadcast 169.254.1.255
> >
> > So I guess the broadcast 169.254.1.255
> >
>
> Yes, the subnetting you've used will cause 169.254.1.255 to become a
> broadcast address.
>
> > as I understand(may be mistake), the broadcast address is depend on how you
> subneting, however, if use a old protocol, RIPv1 for example, it will use the
> default netmask, but if use the later version, should be fine.
>
> Not sure whether, or even if, there should be a difference depending on
> RIP version. I don't believe there should.
>
> Back to your original question however, you may have to turn on IP
> directed broadcast if you want this packet to get forwarded. See sysctl
> for net.inet.ip.directed-broadcast. I believe this is turned off by
> default, a DoS security issue, hence probably why you don't see it come
> out the wire again after the pf translation.
>
> Hope this helps!
> /P
Thanks Patrik :
You are right, I have not enable net.inet.ip.directed-broadcast, however, after I enable this option, the pf is still
not working as previously.
I have changed 169.254/16 IP address to 192.168.x/24 range, but things still not improved.
I have used "netstat -p udp"
the line:
12 dropped due to no socket
is increment by 1 every time I send the message to 60000
and I have use a software listen to port 50000, so I guess, the packet have been dropped due to no socket.
I have write a simple process just monitor 60000 port, and redirect to broad cast, as a temp solution. however, I am
still interested how to make pf works
Cheer
Ji
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/24/2009 10:01 AM
post38651
|
Re: Packet filter questions
Hi,
What about 'netstat -p ip'? And what UDP sockets are reported in plain
'netstat'?
/P
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/24/2009 10:16 AM
post38652
|
Re: Packet filter questions
> Hi,
>
> What about 'netstat -p ip'? And what UDP sockets are reported in plain
> 'netstat'?
>
> /P
I am use:
# netstat -p udp
udp:
25 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
2 dropped due to no socket
0 broadcast/multicast datagrams dropped due to no socket
0 dropped due to full socket buffers
23 delivered
13 PCB hash misses
26 datagrams output
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/24/2009 11:44 AM
post38669
|
Re: Packet filter questions
Yes, can you please send the output of 'netstat -p ip' and 'netstat'?
Maybe there are some clues there.
/P
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/24/2009 11:54 AM
post38671
|
Re: Packet filter questions
> Yes, can you please send the output of 'netstat -p ip' and 'netstat'?
> Maybe there are some clues there.
> /P
# netstat -p ip
ip:
739 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped (out of ipqent)
0 malformed fragments dropped
0 fragments dropped after timeout
0 packets reassembled ok
694 packets for this host
0 packets for unknown/unsupported protocol
65 packets forwarded (0 packets fast forwarded)
12 packets not forwardable
33 redirects sent
0 packets no matching gif found
711 packets sent from this host
50 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
8 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 datagrams with bad address in header
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/25/2009 1:53 PM
post38801
|
Re: Packet filter questions
Hi, do you mind sending the output of 'netstat' command?
/P
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/28/2009 4:15 AM
post38849
|
Re: Packet filter questions
> Hi, do you mind sending the output of 'netstat' command?
> /P
of cause:
# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.3.12.8000 192.168.3.254.1439 ESTABLISHED
tcp 0 0 192.168.3.12.8000 192.168.3.254.1438 ESTABLISHED
tcp 0 0 *.phrelay *.* LISTEN
tcp 0 0 *.pidinsig *.* LISTEN
tcp 0 0 *.pidinenv *.* LISTEN
tcp 0 0 *.pidinarg *.* LISTEN
tcp 0 0 *.pidinmem *.* LISTEN
tcp 0 0 *.pidin *.* LISTEN
tcp 0 0 169.254.1.12.domain *.* LISTEN
tcp 0 0 192.168.3.12.domain *.* LISTEN
tcp 0 0 127.0.0.1.domain *.* LISTEN
tcp 0 0 *.telnet *.* LISTEN
tcp 0 0 *.ftp *.* LISTEN
tcp 0 0 *.sunrpc *.* LISTEN
tcp 0 0 *.time *.* LISTEN
tcp 0 0 *.http *.* LISTEN
tcp 0 0 *.8000 *.* LISTEN
udp 0 0 *.* *.*
udp 0 0 192.168.3.12.snmp *.*
udp 0 0 *.50000 *.*
udp 0 0 *.60000 *.*
udp 0 0 *.65531 *.*
udp 0 0 169.254.1.12.domain *.*
udp 0 0 *.tftp *.*
udp 0 0 192.168.3.12.domain *.*
udp 0 0 *.1023 *.*
udp 0 0 127.0.0.1.domain *.*
udp 0 0 *.route *.*
udp 0 0 *.time *.*
udp 0 0 *.1022 *.*
udp 0 0 *.syslog *.*
udp 0 0 *.* *.*
udp 0 0 *.sunrpc *.*
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
48153578 stream 0 0 48157708 0 0 0 var/run/ndc
48153530 stream 0 0 481575f8 0 0 0 var/run/rpcbind.sock
I can't find pkfilter information, however, here is my ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
inet 127.0.0.1 netmask 0xff000000
tsec0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
capabilities rx=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
capabilities tx=0
enabled=0
address: 00:20:ce:e0:00:30
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.3.12 netmask 0xffffff00 broadcast 192.168.3.255
tsec1: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> metric 16 mtu 1500
capabilities rx=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
capabilities tx=0
enabled=0
address: 00:20:ce:e0:00:31
media: Ethernet none
inet 169.254.1.12 netmask 0xffffff00 broadcast 169.254.1.255
pflog0: flags=0 mtu 33192
I am working on a MPC8313 Target, and running the BSP modified from freescale MPC8313 BSP 6.4.0 package
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/28/2009 12:59 PM
post38902
|
Re: Packet filter questions
> I can't find pkfilter information,
You can display statistics using the pfctl utility, see:
http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/pfctl.html
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/30/2009 3:38 AM
post39038
|
Re: Packet filter questions
Hi
What I have done:
1. mount -Ttcpip lsm-pf-v4.so
2. edit "/etc/pf.conf"
ext_if="tsec0"
rdr pass on $ext_if inet proto udp from any to any port 60000 -> 192.168.1.255 port 50000
Note: That is the only two line in my pf.conf
3.pfctl -f /etc/pf.conf -vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
the out put on terminal is:
No ALTQ support in kernel
ALTQ related functions disabled
Loaded 345 passive OS fingerprints
ext_if = "tsec0"
@0 rdr pass on tsec0 inet proto udp from any to any port = 60000 -> 192.168.1.255 port 50000
Note: I guess the last line shows the redirect have been loaded
4. netstat
output is:
# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *.phrelay *.* LISTEN
tcp 0 0 192.168.3.12.8000 192.168.3.254.2348 ESTABLISHED
tcp 0 0 *.pidinsig *.* LISTEN
tcp 0 0 *.pidinenv *.* LISTEN
tcp 0 0 *.pidinarg *.* LISTEN
tcp 0 0 192.168.3.12.8000 192.168.3.254.2347 ESTABLISHED
tcp 0 0 *.pidinmem *.* LISTEN
tcp 0 0 *.pidin *.* LISTEN
tcp 0 0 169.254.1.12.domain *.* LISTEN
tcp 0 0 192.168.3.12.domain *.* LISTEN
tcp 0 0 127.0.0.1.domain *.* LISTEN
tcp 0 0 *.telnet *.* LISTEN
tcp 0 0 *.ftp *.* LISTEN
tcp 0 0 *.sunrpc *.* LISTEN
tcp 0 0 *.http *.* LISTEN
tcp 0 0 *.time *.* LISTEN
tcp 0 0 *.8000 *.* LISTEN
udp 0 0 *.* *.*
udp 0 0 192.168.3.12.snmp *.*
udp 0 0 *.50000 *.*
udp 0 0 *.60000 *.*
udp 0 0 *.65531 *.*
udp 0 0 169.254.1.12.domain *.*
udp 0 0 *.tftp *.*
udp 0 0 *.1023 *.*
udp 0 0 192.168.3.12.domain *.*
udp 0 0 127.0.0.1.domain *.*
udp 0 0 *.route *.*
udp 0 0 *.time *.*
udp 0 0 *.1022 *.*
udp 0 0 *.syslog *.*
udp 0 0 *.* *.*
udp 0 0 *.sunrpc *.*
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
48153578 stream 0 0 48157708 0 0 0 var/run/ndc
48153530 stream 0 0 481575f8 0 0 0 var/run/rpcbind.sock
As you have seen last time, there is no pf filter listening on relevant port.
Have I missing anything?
>
> > I can't find pkfilter information,
> You can display statistics using the pfctl utility, see:
> http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/pfctl.html
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/30/2009 9:11 AM
post39063
|
Re: Packet filter questions
>>> I can't find pkfilter information,
>>>
>> You can display statistics using the pfctl utility, see:
>> http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/pfctl.html
>>
I should have been clearer. Try some of the pfctl command options which
output statistics about which rules are hit. E.g. see the documentation
link above and look for example at -v and -s, . There are also examples,
e.g. -vvsTables and -vTshow.
Hope this helps!
/P
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/30/2009 9:37 AM
post39068
|
Re: Packet filter questions
Thanks Patrik:
I have try to use pfctrl to display some informations, however, it is not really helpful. the out put always:
No ALTQ support in kernel
ALTQ related functions disabled
I have listed some of my tryings and output:
# pfctl -vvsTables
No ALTQ support in kernel
ALTQ related functions disabled
# pfctl -vvsstate
No ALTQ support in kernel
ALTQ related functions disabled
# pfctl -vvTshow
No ALTQ support in kernel
ALTQ related functions disabled
usage: pfctl [-AdeghmNnOoqRrvz] [-a anchor] [-D macro=value] [-F modifier]
[-f file] [-i interface] [-k host] [-p device] [-s modifier]
[-t table -T command [address ...]] [-x level]
It seems every command I used from the help file it will output:
No ALTQ support in kernel
ALTQ related functions disabled
I have no idea what ALTQ is, and what is ALTQ related functions.
The version of pfctrl is:
NAME=pfctl
DESCRIPTION=Control the packet filter and network address translation device
DATE=2008/10/20-23:17:01-EDT
STATE=Stable
HOST=trunkbuild
USER=builder
VERSION=6.4.0
the version of lib is:
NAME=lsm-pf-v4.so
DESCRIPTION=Packet Filter loadable stack module.
DATE=2008/10/20-22:48:38-EDT
STATE=Stable
HOST=trunkbuild
USER=builder
VERSION=6.4.0
>
> >>> I can't find pkfilter information,
> >>>
> >> You can display statistics using the pfctl utility, see:
> >> http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/pfctl.html
> >>
>
> I should have been clearer. Try some of the pfctl command options which
> output statistics about which rules are hit. E.g. see the documentation
> link above and look for example at -v and -s, . There are also examples,
> e.g. -vvsTables and -vTshow.
>
> Hope this helps!
> /P
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/30/2009 10:09 AM
post39071
|
Re: Packet filter questions
> It seems every command I used from the help file it will output:
> No ALTQ support in kernel
> ALTQ related functions disabled
>
> I have no idea what ALTQ is, and what is ALTQ related functions.
>
You can safely ignore the messages about ALTQ, since for what you're
doing you don't need and are not trying to use it.
/P
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/30/2009 4:42 PM
post39138
|
Re: Packet filter questions
> # pfctl -vvsstate
> No ALTQ support in kernel
> ALTQ related functions disabled
>
There doesn't seem to be any state created by translations. It is as if
pf isn't enabled or doesn't match the packets you send...
What does 'pfctl -vvs all' say before and directly after sending
packets? (note: the state times out) Is there any rules evaluated?
A shot in the dark, did you do 'pfctl -e' to enable the rules???
Other things to try:
Perhaps try is to tcpdump on the pflog0 interface to see what packets
are hitting the pf:
http://netbsd.gw.com/cgi-bin/man-cgi?pflog+4+NetBSD-4.0
Try slaying inetd, portmap, dhcp.client and any other process that's
using UDP sockets (see pidin fds as root).
Could try adding '-x loud' when you're loading the filter rules file.
Not sure where the "loud" debug goes though...
/P
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
10/01/2009 3:58 AM
post39155
|
Re: Packet filter questions
Hi Patrik:
> A shot in the dark, did you do 'pfctl -e' to enable the rules???
I have not use "pfctl -e" to enable the rules, now pf work correctly as I expected, Thanks a lot for your help.
|
|
|
|
|
|
Xiaodan Tang(deleted)
|
RE: Packet filter questions
|
|
Xiaodan Tang(deleted)
09/30/2009 9:25 AM
post39066
|
RE: Packet filter questions
> -----Original Message-----
> From: Ji Dong [mailto:community-noreply@qnx.com]
> Sent: September 30, 2009 3:38 AM
> To: technology-networking
> Subject: Re: Packet filter questions
[snip]
> As you have seen last time, there is no pf filter listening on
relevant
> port.
>
> Have I missing anything?
Packet filter works by exam ALL the packets going through him, if a
packet match one of the pattern/rule, it take certain action.
It does not open any socket, nor will it "listen on a port".
-xtang
|
|
|
|
|
|
Ji Dong
|
Re: Packet filter questions
|
|
Ji Dong
09/18/2009 3:56 AM
post38246
|
Re: Packet filter questions
> Hi Ji,
>
> From a high level, AFAIU, the translated UDP packets will be delivered
> to the stack and processed as incoming again.
>
> If you wanted the redirected packets to be sent out on a wire, then you
> should make sure your IP forwarding flag is on. If forwarding is on,
> then I'd expect the packet to be attempted to be delivered locally (i.e.
> see if destination matches an address assigned to the interface) or be
> forwarded. If forwarding is off, then I'd expect the packet to be
> attempted locally only.
>
> However, you're translating to a destination address under the prefix
> 169.254.0.0/16 which is reserved as link-local, see
> http://iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
> Link-local packets should stay link-local, so setting up forwarding of
> that isn't really ok.
>
> A node that receives the redirected UDP packet will try to match it
> against its open UDP sockets. If there are no matching sockets, then you
> should expect to see the the port unreachable ICMP error that you are
> seeing.
>
> I suggest you check the UDP stats and ICMP stats to see what is
> happening in the local stack. And (if forwarding was what you wanted)
> that you check forwarding stats to see if there are any unroutable
> packets dropped. And if you did expect a matching socket to receive the
> packet, then check what opened sockets you have using netstat.
>
> Hope this helps!
> /P
Hi Patrik:
Thanks for your quick respones.
Our network will be for local use only, it will never expose to internet, and our device have 2 Ethernet port, so my
plan is:
1.Use 192.168.xxx.xxx/24 as our routeable network.
2. Use 169.254.0.0/16 as local net
I understand for link-local address, as per iana, there are a lot of limitation for that, for example, it is not
routeable, however, I find it seems not comply to QNX implmentation.
I have do a small test, I enable RIP2 for both port, and I can see the interesting thing is the routing table is
updating on the other side, and I can send a package form one port and route though the other port to go to another
device.
Then I guess these sort of address is depend on configuration of routed for example. without these special configuration
, the TCP/IP stack will treated as no more than a normal IP addresses.
For this feature, I possiblely can rely on some comercial router to stop our local net spread out our device group.(not
sure if this is a correct way to do it, however, it looks work in our project)
Because I have enable RIP2, and it can route, so I am quite sure, the ipforward is enabled
BTW: can you suggest how can I check forwarding stats? I have use pfctrl in a vebose mode, but there is no such
forwarding stats come on my screen.
|
|
|
|
|
|
Xiaodan Tang(deleted)
|
RE: Packet filter questions
|
|
Xiaodan Tang(deleted)
09/18/2009 7:47 AM
post38257
|
RE: Packet filter questions
Hello,
Is it your goal to make the link-local address (169.254) to talk to
192.168?
The "autoip" module (lsm-autoip.so) is designed to auto assign
link-local and make sure a link-local address would be able to talk to a
local LAN address. (As per Link-Local required)
Just thought I should mention this.
-xtang
> -----Original Message-----
> From: Ji Dong [mailto:community-noreply@qnx.com]
> Sent: September 18, 2009 3:56 AM
> To: technology-networking
> Subject: Re: Packet filter questions
>
> > Hi Ji,
> >
> > From a high level, AFAIU, the translated UDP packets will be
delivered
> > to the stack and processed as incoming again.
> >
> > If you wanted the redirected packets to be sent out on a wire, then
you
> > should make sure your IP forwarding flag is on. If forwarding is on,
> > then I'd expect the packet to be attempted to be delivered locally
(i.e.
> > see if destination matches an address assigned to the interface) or
be
> > forwarded. If forwarding is off, then I'd expect the packet to be
> > attempted locally only.
> >
> > However, you're translating to a destination address under the
prefix
> > 169.254.0.0/16 which is reserved as link-local, see
> >
http://iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
> > Link-local packets should stay link-local, so setting up forwarding
of
> > that isn't really ok.
> >
> > A node that receives the redirected UDP packet will try to match it
> > against its open UDP sockets. If there are no matching sockets, then
you
> > should expect to see the the port unreachable ICMP error that you
are
> > seeing.
> >
> > I suggest you check the UDP stats and ICMP stats to see what is
> > happening in the local stack. And (if forwarding was what you
wanted)
> > that you check forwarding stats to see if there are any unroutable
> > packets dropped. And if you did expect a matching socket to receive
the
> > packet, then check what opened sockets you have using netstat.
> >
> > Hope this helps!
> > /P
>
>
> Hi Patrik:
>
> Thanks for your quick respones.
> Our network will be for local use only, it will never expose to
internet,
> and our device have 2 Ethernet port, so my plan is:
> 1.Use 192.168.xxx.xxx/24 as our routeable network.
> 2. Use 169.254.0.0/16 as local net
> I understand for link-local address, as per iana, there are a lot of
> limitation for that, for example, it is not routeable, however, I find
it
> seems not comply to QNX implmentation.
> I have do a small test, I enable RIP2 for both port, and I can see the
> interesting thing is the routing table is updating on the other side,
and
> I can send a package form one port and route though the other port to
go
> to another device.
> Then I guess these sort of address is depend on configuration of
routed
> for example. without these special configuration, the TCP/IP stack
will
> treated as no more than a normal IP addresses.
> For this feature, I possiblely can rely on some comercial router to
stop
> our local net spread out our device group.(not sure if this is a
correct
> way to do it, however, it looks work in our project)
>
> Because I have enable RIP2, and it can route, so I am quite sure, the
> ipforward is enabled
>
> BTW: can you suggest how can I check forwarding stats? I have use
pfctrl
> in a vebose mode, but there is no such forwarding stats come on my
screen.
>
>
>
>
>
>
>
>
> _______________________________________________
>
> Technology
> http://community.qnx.com/sf/go/post38246
|
|
|
|
|
|
Ji Dong
|
Re: RE: Packet filter questions
|
|
Ji Dong
09/18/2009 9:14 AM
post38268
|
Re: RE: Packet filter questions
Hi Xiaodan :
I am useing Freescale MPC8313 BSP v6.4.0, and I have not include lsm-autoip.so lib. and all ip address is fixed assigned
I have tried to change (169.254) to 192.168.1.255, and it is still not working, exact the same as I have seen for (169.
254) :(
Ji
> Hello,
>
> Is it your goal to make the link-local address (169.254) to talk to
> 192.168?
>
> The "autoip" module (lsm-autoip.so) is designed to auto assign
> link-local and make sure a link-local address would be able to talk to a
> local LAN address. (As per Link-Local required)
>
> Just thought I should mention this.
>
> -xtang
>
|
|
|
|
|
|
Patrik Lahti
|
Re: Packet filter questions
|
|
Patrik Lahti
09/18/2009 10:16 AM
post38286
|
Re: Packet filter questions
> Our network will be for local use only, it will never expose to internet,
It is not about whether you expose it to the Internet or not. (it'll
just get dropped anyways).
Link-local does not mean "local to your site". It means it is intended
to stay on the link - i.e. not leave the ethernet segment. Just like
IPv6 link-local addresses work (fe80::/10).
> and our device have 2 Ethernet port, so my plan is:
> 1.Use 192.168.xxx.xxx/24 as our routeable network.
> 2. Use 169.254.0.0/16 as local net
> I understand for link-local address, as per iana, there are a lot of limitation for that, for example, it is not
routeable, however, I find it seems not comply to QNX implmentation.
> I have do a small test, I enable RIP2 for both port, and I can see the interesting thing is the routing table is
updating on the other side, and I can send a package form one port and route though the other port to go to another
device.
>
There's nothing wrong with the QNX implementation. If you configure
io-pkt to route 169.254.0.0/16 somewhere, then it will obey that
configuration. Unlike IPv6 link-local addresses, IPv4 link-locals did
not exist in the original specs and were added later so there is no
requirement on stacks to treat them specially.
I'm saying what you're doing is a misconfiguration unless you have some
very specific (and peculiar) requirements :-) I can't comment on it
further without knowing your particular requirements but it sounds like
you should be using private addressing.
> Then I guess these sort of address is depend on configuration of routed for example. without these special
configuration, the TCP/IP stack will treated as no more than a normal IP addresses.
>
Yes, that's the design intent.
> For this feature, I possiblely can rely on some comercial router to stop our local net spread out our device group.
(not sure if this is a correct way to do it, however, it looks work in our project)
>
> Because I have enable RIP2, and it can route, so I am quite sure, the ipforward is enabled
>
> BTW: can you suggest how can I check forwarding stats? I have use pfctrl in a vebose mode, but there is no such
forwarding stats come on my screen.
>
Please see the documentation for the netstat command (e.g. netstat -p
ip) here:
http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/n/netstat.html
/P
|
|
|
|
|
|
