From owner-freebsd-bugs@FreeBSD.ORG  Wed Mar 26 09:50:01 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 61CE7106564A
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 26 Mar 2008 09:50:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 429F08FC27
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 26 Mar 2008 09:50:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2Q9o11Q073299
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 26 Mar 2008 09:50:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2Q9o1kj073298;
	Wed, 26 Mar 2008 09:50:01 GMT (envelope-from gnats)
Resent-Date: Wed, 26 Mar 2008 09:50:01 GMT
Resent-Message-Id: <200803260950.m2Q9o1kj073298@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Mikhail Dyadchenko <m.dyadchenko@211.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 73329106564A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed, 26 Mar 2008 09:44:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 659538FC12
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed, 26 Mar 2008 09:44:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m2Q9iaUF029154
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Mar 2008 09:44:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m2Q9iahr029153;
	Wed, 26 Mar 2008 09:44:36 GMT (envelope-from nobody)
Message-Id: <200803260944.m2Q9iahr029153@www.freebsd.org>
Date: Wed, 26 Mar 2008 09:44:36 GMT
From: Mikhail Dyadchenko <m.dyadchenko@211.ru>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/122109: ipfw nat traceroute problem
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2008 09:50:01 -0000


>Number:         122109
>Category:       kern
>Synopsis:       ipfw nat traceroute problem
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 26 09:50:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Mikhail Dyadchenko
>Release:        7.0-STABLE
>Organization:
SibSet LTD
>Environment:
FreeBSD lo0.ru 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat Mar 22 12:14:16 NOVT 2008     root@lo0.ru:/usr/obj/usr/src/sys/lo0  amd64
>Description:
Problem in NAT'ing traceroute icmp answers.

traceroute to ya.ru (213.180.204.8), 64 hops max, 52 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * ^C
Tcpdump on interface show icmp packet's to from all hops on trace
Then i put a rule to skipto icmp traffic over nat rules - a got an answer's.
So probably packets drop in kernel libalias or in ipfw nat.

net.inet.ip.fw.one_pass: 0

Problem detect after mirgation from natd + divert.

Traceroute from internal network work's fine.

Kernel compiled after csup src-all





>How-To-Repeat:
nve0 - external interface
ipfw output

ipfw nat 400 config ip xxx.xxx.xxx.xxx same_ports
09500        64         3971 skipto 65000 icmp from any to any
10000  20464225  25206636648 nat 400 ip from 10.1.255.0/28 to any via nve0
10100  13407049   3332989310 nat 400 ip from any to xxx.xxx.xxx.xxx via nve0
10200        30         1200 deny ip from not xxx.xxx.xxx.xxx to any out xmit nve0
65000 181231789 158968737448 allow ip from any to any

Then i remove 09500 rule - icmp packets die on nat rule

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: