Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Nov 2007 16:15:36 -0800
From:      Christopher Cowart <ccowart@rescomp.berkeley.edu>
To:        freebsd-net@freebsd.org
Subject:   ipfw and netgraph confusion
Message-ID:  <20071118001536.GG43532@hal.rescomp.berkeley.edu>

next in thread | raw e-mail | index | archive | help

--vkljSoo+ux+fbUAa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,

I'm trying to use the ng_nat node on 6.2.

I have one set of IP -> ng cookie mappings in tables and a single
default mapping for anything that doesn't match the tables.

The first case, using tables, is the "Authenticated" case:
| /sbin/ipfw add netgraph tablearg all from "table(4)" to any in via \
|   vlan88
| 01040 netgraph tablearg ip from table(4) to any in via vlan88
| /sbin/ipfw add netgraph tablearg all from any to "table(3)" in via \
|   vlan665
| 01060 netgraph tablearg ip from any to table(3) in via vlan665
| /sbin/ipfw table 4 list
| 10.8.62.255/32 200065132
| /sbin/ipfw table 3 list
| 169.229.65.132/32 100065132

This case works great. I inserted some count log rules an see that the
src and dst IP addresses are being altered as I would expect.

When I fall back to the default case for "Unauthenticated" users:
| /sbin/ipfw add netgraph 100079145 all from 10.8.0.0/18 to any in \
|     via vlan88
| 01230 netgraph 5673 ip from 10.8.0.0/18 to any in via vlan88=20
| /sbin/ipfw add netgraph 200079145 all from any to 169.229.79.145
| 01240 netgraph 63273 ip from any to 169.229.79.145

Notice the netgraph cookies here are 100079145 and 200079145. These are
the same values I used with ng_ctl. The resulting ipfw rules say the
cookies are 5673 and 63273. After matching the netgraph rules in this
case, the src and dst IP addresses are logged unchanged. This leads me=20
to believe ipfw sent them to non-existant nodes. The behavior I'm
witnessing indicates that indeed, these packets have not been NATed.

Troubleshooting a bit, I noticed that if I change the constant numbers
to 10 and 20, things work exactly as expected. I'm going to venture a
guess that when a netgraph cookie is parsed on the commandline, it's
interpreted as a 16-bit int, but when you're using tableargs, 32-bit
ints work. This inconsistent behavior is a bit confusing (and led me to
a couple hours of frustrated debugging). Anyone else aware of this
problem? Should I file a PR?

Thanks,

--=20
Chris Cowart
Lead Systems Administrator
Network & Infrastructure Services, RSSP-IT
UC Berkeley

--vkljSoo+ux+fbUAa
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iQIVAwUBRz+EJyPHEDszU3zYAQKkThAAyFmv/YDszxeqYOhsCXVPWIJ5YrAwc+kM
6kbmXxvvTaMvM2UxUYUvl5b1n26kd3haaEc6UKPziplNmlkmZRI6Cbr7nB5wtZse
vVJyntBzcOjm/oORk7xysVi+nGrIemh4WplQO0Gi/aR/XeaBAv8Nf+0ro8/HzRs8
+Dmgpzx70x4DjUgiG/1F9EJrEV6wgy5YhissI7r2c0tGCd0gYdaHdidTzHtAJMAJ
QPA/l4a2l0pc+GHRLzOJfGVFG0a8g3OnHpYv3HwlZxQrP2lGEvk2SSwXH8noZwFq
5ubX2L8rmCQiZIEhGsePNC1x5b6rjdDNxP7K4RPrS4roZ8H8vpV6mrtYR2LTFyoV
khljXjttlOFyC6ia7lj/pNa0QvkqsOWekbfAE9uPSY3KfI/l6TPRr/eUX16Tbtu/
oyejNPl17b6LeK3Cy5xcKY7Qhlym99dxpVuqjV14EfDqkaiiWFYNLygwJTXhzlPY
tOMnnP6UQ206VpSre4SKdcIx4pvG4yPASPQjC59bXkZgMdMl0XhKi/PPtGsSRxhp
mVGsct7xkflDjA+1tGIzh88WONt3Rjwz/vny9vrAKUAyRJATWtyFgXwzPf8pR3TC
q2jhrXfQgSTrT3oRk11M1KvjcU9uGFxjtgEqm4A1ixI2utcR9c/n3ammADMTY7Ke
qbKK5bqPdEA=
=znTj
-----END PGP SIGNATURE-----

--vkljSoo+ux+fbUAa--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071118001536.GG43532>