From owner-freebsd-net@FreeBSD.ORG Mon Dec 7 21:14:41 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E28F106566B for ; Mon, 7 Dec 2009 21:14:41 +0000 (UTC) (envelope-from lytboris@gmail.com) Received: from mail-fx0-f209.google.com (mail-fx0-f209.google.com [209.85.220.209]) by mx1.freebsd.org (Postfix) with ESMTP id 03AEE8FC13 for ; Mon, 7 Dec 2009 21:14:40 +0000 (UTC) Received: by fxm2 with SMTP id 2so2454596fxm.13 for ; Mon, 07 Dec 2009 13:14:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=R+19uq8T2P+Ysw7yY6KS0z+o253qeT02Id06IruW3XA=; b=k8Jj72GbVo9mVnwhkjn0QGK/Y2/pJ5/+yW9XnD7/DMz171wJBRxv2fYBuIBalDvKF3 PRAi1xIgSoKxPz/74ClMG4zkbktZO4yTs38zC4SeOS5/nGG7i8XkJ9f2BegBcllhoYQW g1aItRhKTy2snDPNSBrxiEDiDVc/4ccgcs3iI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=AV7HEFfskFCw7a5+O4B5vzpFOTo6MvDjWWvBZDstKf/leBRJwIDc4CzoNvbdS5HNBz k3hIXiQywtkWiLkIGFRMwZrLaSOnHLWTjf8H7nDigykXuN0OOoRL8rL/rXTSbP36pVqw HROQQ7nVa8GSYP7X7awLoxvrtmL6vFJbAGKN4= MIME-Version: 1.0 Received: by 10.239.168.166 with SMTP id k38mr693894hbe.63.1260220479688; Mon, 07 Dec 2009 13:14:39 -0800 (PST) In-Reply-To: <200912072040.56524.max@love2party.net> References: <933fa9790912040047k64aa11a7s736688e7382725ad@mail.gmail.com> <200912072040.56524.max@love2party.net> Date: Tue, 8 Dec 2009 00:14:39 +0300 Message-ID: <933fa9790912071314y280b6464r3c5e2831658b035e@mail.gmail.com> From: Lytochkin Boris To: Max Laier Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 8: ipfw fwd and pf route-to broken? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2009 21:14:41 -0000 Oups, everything is OK with route-to and reply-to in pf, my bad. config for my situation must be like this scrub in all fragment reassemble pass in quick reply-to (em0 10.60.128.254) inet from any to 10.60.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.70.128.254) inet from any to 10.70.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.71.128.254) inet from any to 10.71.128.0/24 flags S/SA keep state pass in quick reply-to (em0 10.72.128.254) inet from any to 10.72.128.0/24 flags S/SA keep state pass in quick all flags S/SA keep state or incoming traffic whould create keep-state wit pass in and would not go down to route-to rules. or use per-interface keep states. On Mon, Dec 7, 2009 at 10:40 PM, Max Laier wrote: > On Friday 04 December 2009 09:47:37 Lytochkin Boris wrote: >> It seems that FreeBSD 8 has ipfw fwd and pf's route-to malfunctioning: >> 1) ipfw fwd >> a) net.inet.ip.forwarding =3D 0 >> =A0 Packets altered by fwd rule are silently dropped somewhere >> between ip_output() checking forward tag and bpf (tcpdump does not >> show these packets) >> b) net.inet.ip.forwarding =3D 1 >> =A0 Packets altered by fwd rule are forwarded according to normal >> routing table (in my case they were forwarded to default gateway), not >> fwd statement >> >> 2) pf route-to >> Both values of net.inet.ip.forwarding replicates 1b case. >> >> Sample configs >> >> 1) ipfw >> add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out >> add 65534 allow ip from any to any >> >> 2) pf >> scrub in all fragment reassemble >> pass in all flags S/SA keep state >> pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 >> to any flags S/SA keep state > > I can not reproduce this. My (cursory) test on a r197983 install suggests= that > route-to is working as it should. =A0Your rules are a bit strange and mig= ht > result in asymmetric states that can result in dropped tcp-sessions, but = the > basic route-to is correct. =A0Can you share more details about your setup= : > netstat -rnfinet, pfctl -vvsr (after passing some traffic that was suppos= ed to > hit the route-to rule) and how exactly your default gateway and the > alternative router are connected to your pf-box? > > Thanks in advance. > > -- > =A0Max > >