From owner-freebsd-bugs  Mon Apr  8 12:40:31 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 12E2937B41C
	for <freebsd-bugs@hub.freebsd.org>; Mon,  8 Apr 2002 12:40:02 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g38Je2722107;
	Mon, 8 Apr 2002 12:40:02 -0700 (PDT)
	(envelope-from gnats)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0521E37B41A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 Apr 2002 12:37:49 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g38JbmH21424;
	Mon, 8 Apr 2002 12:37:48 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200204081937.g38JbmH21424@freefall.freebsd.org>
Date: Mon, 8 Apr 2002 12:37:48 -0700 (PDT)
From: Joe Barbish <barbish@a1poweruser.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         36895
>Category:       kern
>Synopsis:       natd does not function correctly when ipfw rules use check-state/keep-state
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 08 12:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Joe Barbish
>Release:        4.4 Release
>Organization:
n/a
>Environment:
>Description:
I have an ipfw firewall rule set that exclusively uses the advaniced
statefull keep-state option. Rule set functions correctly (ie: dynamic
rules get build) when I use the nat feature of user ppp.

When I compile the ipdivert option
into the kernel, enable the divert options in rc.conf, and add the
divert rule to the ipfw rules, my ipfw firewall stops working. All the packets get rejected by the default deny everything rule at the end of
the rule set. If I use stateless and simpile stateful rules instead of
advaniced statefull rules then the divert rule works ok.

Acts like the divert function packet handoff to natd has a problem when
the new keep-state option is used.     
>How-To-Repeat:
      Build your own keep-state rule set and test.
>Fix:
      
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message