Date: Wed, 21 Jul 2010 21:36:44 GMT From: Spil <spil.oss@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/148827: [ipfw] divert broken with in-kernel ipfw Message-ID: <201007212136.o6LLaiD1062469@www.freebsd.org> Resent-Message-ID: <201007212140.o6LLe4H9016599@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 148827 >Category: kern >Synopsis: [ipfw] divert broken with in-kernel ipfw >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 21 21:40:04 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Spil >Release: 8.1 Release >Organization: >Environment: FreeBSD gw.example.org 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Wed Jul 21 06:55:14 CEST 2010 >Description: Migrating from 8.0 to 8.1 using a recipe similar to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html "30.6.5.7 An Example NAT and Stateful Ruleset" breaks NAT The culprit are the ipfw rules $cmd 100 divert natd ip from any to any in via $pif $cmd 500 divert natd ip from any to any out via $pif This no longer results in the NATting as on 8.0 As of 8.1 it must be $cmd 100 divert natd ip4 from any to any in via $pif $cmd 500 divert natd ip4 from any to any out via $pif man-page specifically states for proto ip | all Matches any packet. but obviously for 8.1 it doesn't (in a divert rule?) >How-To-Repeat: In-kernel ipfw Usage of natd proto 'ip' in the rule body >Fix: change proto from ip to ip4 in divert natd ipfw rules >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007212136.o6LLaiD1062469>