Date: Sat, 17 Nov 2007 16:15:36 -0800 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: freebsd-net@freebsd.org Subject: ipfw and netgraph confusion Message-ID: <20071118001536.GG43532@hal.rescomp.berkeley.edu>
next in thread | raw e-mail | index | archive | help
--vkljSoo+ux+fbUAa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I'm trying to use the ng_nat node on 6.2. I have one set of IP -> ng cookie mappings in tables and a single default mapping for anything that doesn't match the tables. The first case, using tables, is the "Authenticated" case: | /sbin/ipfw add netgraph tablearg all from "table(4)" to any in via \ | vlan88 | 01040 netgraph tablearg ip from table(4) to any in via vlan88 | /sbin/ipfw add netgraph tablearg all from any to "table(3)" in via \ | vlan665 | 01060 netgraph tablearg ip from any to table(3) in via vlan665 | /sbin/ipfw table 4 list | 10.8.62.255/32 200065132 | /sbin/ipfw table 3 list | 169.229.65.132/32 100065132 This case works great. I inserted some count log rules an see that the src and dst IP addresses are being altered as I would expect. When I fall back to the default case for "Unauthenticated" users: | /sbin/ipfw add netgraph 100079145 all from 10.8.0.0/18 to any in \ | via vlan88 | 01230 netgraph 5673 ip from 10.8.0.0/18 to any in via vlan88=20 | /sbin/ipfw add netgraph 200079145 all from any to 169.229.79.145 | 01240 netgraph 63273 ip from any to 169.229.79.145 Notice the netgraph cookies here are 100079145 and 200079145. These are the same values I used with ng_ctl. The resulting ipfw rules say the cookies are 5673 and 63273. After matching the netgraph rules in this case, the src and dst IP addresses are logged unchanged. This leads me=20 to believe ipfw sent them to non-existant nodes. The behavior I'm witnessing indicates that indeed, these packets have not been NATed. Troubleshooting a bit, I noticed that if I change the constant numbers to 10 and 20, things work exactly as expected. I'm going to venture a guess that when a netgraph cookie is parsed on the commandline, it's interpreted as a 16-bit int, but when you're using tableargs, 32-bit ints work. This inconsistent behavior is a bit confusing (and led me to a couple hours of frustrated debugging). Anyone else aware of this problem? Should I file a PR? Thanks, --=20 Chris Cowart Lead Systems Administrator Network & Infrastructure Services, RSSP-IT UC Berkeley --vkljSoo+ux+fbUAa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBRz+EJyPHEDszU3zYAQKkThAAyFmv/YDszxeqYOhsCXVPWIJ5YrAwc+kM 6kbmXxvvTaMvM2UxUYUvl5b1n26kd3haaEc6UKPziplNmlkmZRI6Cbr7nB5wtZse vVJyntBzcOjm/oORk7xysVi+nGrIemh4WplQO0Gi/aR/XeaBAv8Nf+0ro8/HzRs8 +Dmgpzx70x4DjUgiG/1F9EJrEV6wgy5YhissI7r2c0tGCd0gYdaHdidTzHtAJMAJ QPA/l4a2l0pc+GHRLzOJfGVFG0a8g3OnHpYv3HwlZxQrP2lGEvk2SSwXH8noZwFq 5ubX2L8rmCQiZIEhGsePNC1x5b6rjdDNxP7K4RPrS4roZ8H8vpV6mrtYR2LTFyoV khljXjttlOFyC6ia7lj/pNa0QvkqsOWekbfAE9uPSY3KfI/l6TPRr/eUX16Tbtu/ oyejNPl17b6LeK3Cy5xcKY7Qhlym99dxpVuqjV14EfDqkaiiWFYNLygwJTXhzlPY tOMnnP6UQ206VpSre4SKdcIx4pvG4yPASPQjC59bXkZgMdMl0XhKi/PPtGsSRxhp mVGsct7xkflDjA+1tGIzh88WONt3Rjwz/vny9vrAKUAyRJATWtyFgXwzPf8pR3TC q2jhrXfQgSTrT3oRk11M1KvjcU9uGFxjtgEqm4A1ixI2utcR9c/n3ammADMTY7Ke qbKK5bqPdEA= =znTj -----END PGP SIGNATURE----- --vkljSoo+ux+fbUAa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071118001536.GG43532>