Date: Thu, 12 Aug 2010 11:15:35 GMT From: Alexander Apanasenko <apanasis@mail.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/149572: ipfw kernel nat not working properly Message-ID: <201008121115.o7CBFZiY051076@www.freebsd.org> Resent-Message-ID: <201008121120.o7CBK1BJ058489@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 149572 >Category: kern >Synopsis: ipfw kernel nat not working properly >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 12 11:20:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Alexander Apanasenko >Release: 8.1-RELEASE >Organization: >Environment: FreeBSD gate100.bis 8.1-RELEASE FreeBSD 8.1-RELEASE #1: Tue Aug 10 11:25:07 MSD 2010 apanas@gate100.bis:/usr/obj/usr/src/sys/GATE i386 >Description: After upgrade from 8.0-RELEASE to 8.1-RELEASE in IPFW kernel nat rules not working. Config nat in ipfw is: ipfw nat 1 config if fxp2 log deny_in same_ports reset rules: ... 20700 nat 1 ip from any to any via fxp2 29900 deny ip from any to any sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 1 fxp2 is external interface. In 8.0 release these rules work fine, 20700 12221 1314739 nat 1 ip from any to any via fxp2 29900 0 0 deny ip from any to any but in 8.1 all packets matched with rule 20700 not leave firewall and continue move to rule 29900 20700 0 5847 nat 1 ip from any to any via fxp2 29900 0 6023 deny ip from any to any >How-To-Repeat: On 8.1-RELEASE system with kernel ipfw options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_FORWARD options IPFIREWALL_NAT options IPDIVERT options DUMMYNET options LIBALIAS and sysctl net.inet.ip.fw.one_pass=1 do: ipfw add allow ip from any to any via int_iface ipfw add nat 1 ip from any to any via ext_iface ipfw nat 1 config if ext_iface same_ports ipfw add deny ip from any to any and you can see that all packets after aliasing on nat 1 rule go to deny rule. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008121115.o7CBFZiY051076>