On Jul 03, 2013, Blair Zajac wrote: > On 7/3/13 8:23 PM, Michael Rash wrote: > > On Jul 03, 2013, Blair Zajac wrote: > >> On 6/11/13 2:35 PM, Michael Rash wrote: > >>> On Jun 11, 2013, Blair Zajac wrote: > >>>> On 6/10/13 8:12 PM, Michael Rash wrote: > >>> Now, the above assumes that the test suite is working properly to begin > >>> with on your system, and the previous output you sent makes me suspect > >>> that you may need to adjust your local ipfw policy to accept traffic > >>> over the loopback interface since fwknopd didn't appear to receive any > >>> SPA traffic. > >> > >> Yup, appears like that. What do you suggest to test this correctly? > > > > Perhaps adding a rule like "ipfw 00010 allow all from any to any via lo0" > > would work? You can test with tcpdump and netcat - the following > > scenario works, then the fwknop test suite should also work I think: > > This doesn't work: > > # ipfw 00010 allow all from any to any via lo0 > ipfw: bad command `allow'
Bleh, sorry, was quoting the wrong ipfw syntax (list output vs. new rule). Although I don't have a system where I can test this, it should be something like "ipfw add 00010 set 1 pass udp from any to me dst-port 62201" and then make sure packets to set 1 can be seen via loopback (I think). > > # tcpdump -i lo0 -l -nn -s 0 -X port 62201 > > # echo "test" | nc -u 127.0.0.1 62201 > > This works with no ipfw changes: > > # tcpdump -i lo0 -l -nn -s 0 -X port 62201 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes > 20:54:42.886619 IP 127.0.0.1.64601 > 127.0.0.1.62201: UDP, length 5 > 0x0000: 4500 0021 1bb4 0000 4011 0000 7f00 0001 E..!....@....... > 0x0010: 7f00 0001 fc59 f2f9 000d fe20 7465 7374 .....Y......test > 0x0020: 0a . > ^C > 1 packets captured > 2 packets received by filter > 0 packets dropped by kernel Ok, I wonder if there is a link level issue here in fwknopd related to the BSD equivalent of the Linux 'cooked' interface or something like that. I need to get a Mac. :) > > If you see the packet in the tcpdump output, then ipfw is not in the > > way, and hence fwknop traffic should also be seen by fwknopd over > > loopback. > > BTW, if you want to punt on PPC support, that's fine with me. I have a > patched 2.0.4 that works. I'm hoping to get the next generation of > MacBook Pro, whenever that is, so the x86_86 version should work. Ok, I'd like to get it working, but it may need to wait until 2.5.1. Thanks, --Mike > Blair ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
