From owner-freebsd-net@FreeBSD.ORG Fri Dec 4 08:47:39 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48CC1106566B for ; Fri, 4 Dec 2009 08:47:39 +0000 (UTC) (envelope-from lytboris@gmail.com) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by mx1.freebsd.org (Postfix) with ESMTP id D7B748FC08 for ; Fri, 4 Dec 2009 08:47:38 +0000 (UTC) Received: by fxm10 with SMTP id 10so2201740fxm.34 for ; Fri, 04 Dec 2009 00:47:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=XICWU39ZtZ3tl78+WJv85iRL/FqdBYTsHo9qdOw8xss=; b=EIGX7A0j+B24x8ey9OewC60v3qruHig+Bnqs+meW4I/Yf0fVS0A4FMNB7bk60AsEm2 YSGXTLSTTxE+ihx1yF/qKxaAI2H7Mu3WKWAOxyVzpM6ycQbEw15CWEOD/tDXMc0f7CHK eD5+HJC4Ts5B3UxIKPIWgV9vp5od7Bq51kWy8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Mh8nRlFRY0p5Ca4GnlZ/q3kEWRAv8Lrc9a0Cl7Y5pX3uMl7j/xiDBUQ7gcaFXd/bcg SFYzOZ3q8vfpdq1gdFjgo/F9wBrHiqDMOtTALQ+VS4AfyRwy+DZCP7afv5coAwcu+hPb Aq86Ib65BnP4smLkvAnXBVhf8VNg5SIUi0vQ0= MIME-Version: 1.0 Received: by 10.239.185.77 with SMTP id b13mr279691hbh.158.1259916457748; Fri, 04 Dec 2009 00:47:37 -0800 (PST) Date: Fri, 4 Dec 2009 11:47:37 +0300 Message-ID: <933fa9790912040047k64aa11a7s736688e7382725ad@mail.gmail.com> From: Lytochkin Boris To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: FreeBSD 8: ipfw fwd and pf route-to broken? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 08:47:39 -0000 Hi! It seems that FreeBSD 8 has ipfw fwd and pf's route-to malfunctioning: 1) ipfw fwd a) net.inet.ip.forwarding = 0 Packets altered by fwd rule are silently dropped somewhere between ip_output() checking forward tag and bpf (tcpdump does not show these packets) b) net.inet.ip.forwarding = 1 Packets altered by fwd rule are forwarded according to normal routing table (in my case they were forwarded to default gateway), not fwd statement 2) pf route-to Both values of net.inet.ip.forwarding replicates 1b case. Sample configs 1) ipfw add 60 fwd 10.60.128.254 ip from 10.60.128.0/24 to any out add 65534 allow ip from any to any 2) pf scrub in all fragment reassemble pass in all flags S/SA keep state pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 to any flags S/SA keep state ~>uname -a FreeBSD thost 8.0-PRERELEASE FreeBSD 8.0-PRERELEASE #5: Wed Dec 2 13:43:48 MSK 2009 root@thost:/usr/obj/usr/src/sys/CSUP amd64 -- Regards, Boris Lytochkin