From owner-freebsd-net@freebsd.org Thu Jul 5 06:39:23 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E70E1029E59 for ; Thu, 5 Jul 2018 06:39:23 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C13308B5E8 for ; Thu, 5 Jul 2018 06:39:22 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id w656d9J2038854 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 5 Jul 2018 08:39:16 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive To: "Andrey V. Elsukov" , freebsd-net@freebsd.org, wishmaster References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> From: Andrea Venturoli Message-ID: Date: Thu, 5 Jul 2018 08:39:09 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0 MIME-Version: 1.0 In-Reply-To: <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2018 06:39:23 -0000 On 04/03/18 12:54, Andrey V. Elsukov wrote: > On 03.04.2018 13:45, Andrey V. Elsukov wrote: >>> Can anybody give any hint about the above behaviours or point me to good >>> documentation? The man pages is very brief on this, unfortunately. >> >> Hi, >> >> ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus >> keep-alive packets are sent bypass the rules. When you use NAT, I guess >> keep-alive packets have private source address, because they are not go >> through the NAT rule. And because of this remote host drops them without >> reply. Since there are no replies to keep-alive requests, a state times >> out. > > You can try this patch: > > https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff > > It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can > control the behavior of M_SKIP_FIREWALL flag. > Hello. Now that this patch applies cleanly to 11.2, I tried it. After setting net.inet.ip.fw.bypass_own_packets to 0, I run the same tests again: unfortunately nothing seems to have changed... I only see keep-alive packets when there's no NAT or FWD rule involved. Is anything more required besides patching, recompiling the kernel and tuning the sysctl? Perhaps this setting must be done on boot and cannot be enabled later or something like that? For wishmaster: Since you said it works for you, can I ask which FreeBSD version you tested this on? Do you have any other patch or specific setup? How did you test this? Thanks a lot to anyone Andrea Venturoli