From owner-freebsd-stable@FreeBSD.ORG Tue May 31 05:03:29 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CDD816A41C for ; Tue, 31 May 2005 05:03:29 +0000 (GMT) (envelope-from smartweb@leadhill.net) Received: from natco8.natcotech.com (natco8.natcotech.com [205.167.142.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id B65B343D49 for ; Tue, 31 May 2005 05:03:28 +0000 (GMT) (envelope-from smartweb@leadhill.net) Received: from localhost (int9.natcotech.com [192.168.1.9]) by natco8.natcotech.com (Postfix) with ESMTP id B8B532980D0 for ; Tue, 31 May 2005 00:03:27 -0500 (CDT) Received: from natco8.natcotech.com ([192.168.1.8]) by localhost (natco9 [192.168.1.9]) (amavisd-new, port 10024) with LMTP id 04639-01-15 for ; Tue, 31 May 2005 00:03:27 -0500 (CDT) Received: from ibm.nlcc.us (ldhl-ras1-dial-12-28-24-127.natcotech.com [12.28.24.127]) by natco8.natcotech.com (Postfix) with ESMTP id A11C0298188 for ; Tue, 31 May 2005 00:03:26 -0500 (CDT) Received: (qmail 54911 invoked by uid 89); 31 May 2005 05:03:26 -0000 Received: from unknown (HELO ?192.168.0.2?) (billy@192.168.0.2) by ibm.nlcc.us with SMTP; 31 May 2005 05:03:26 -0000 Message-ID: <429BF01D.2070103@leadhill.net> Date: Tue, 31 May 2005 00:03:25 -0500 From: Billy Newsom User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at natco9.natcotech.com Subject: ipnat is definitely broken in RELENG_5_4 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 05:03:29 -0000 I posted previously that ipnat failed to start after I upgraded to FreeBSD 5.4. On the same machine, I am having additional ipnat failures. I reported the first time that ipnat failed to start on the first boot. I am now reporting that on the second boot, ipnat loaded and installed its tables, as expected. A quick "ipnat -vls" at boot confirmed this. YEAH! But ON SECOND LOOK, I found out that ipnat was failing to do its normal network translation. A subsequent "ipnat -vls" confirmed that there were no statistics for anything a day later -- all 0's, but I should have been mapping in and out a lot of connections. So I cleared ipnat's tables and reloaded the same ones. Instantly some connections that were waiting to start were NATed in, and I saw some active connections in the NAT statistics. There had apparently been none since the second boot using FreeBSD 5.4. I am adding this to the PR I filed, because something is still amiss. I am now trying to figure out how to write a babysitter script for ipnat, so it runs at boot, and maybe periodically to ensure NAT is on. If I am away from this server, I wonder what I would do if I depended on ipnat??? I would be firewalled out, essentially, needing to login locally. This is major, so I am going to keep being persistent about it. Thanks for any insight or workarounds... Still need to try enabling ipv6 in rc.conf as someone suggested??? Does that seem right? Here's a few sanitized shell outputs. We have changed the port numbers to protect the innocent. Sun May 29 18:19:29 CDT 2005 [[My bootup time]] # ipnat -vls mapped in 0 out 0 added 0 expired 0 no memory 0 bad nat 0 inuse 0 rules 6 wilds 0 table 0xbfbfebc8 list 0xc1bc6e00 List of active MAP/Redirect filters: rdr oo0 192.168.1.2/32 port 899 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 21111 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 1238 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 1234 -> 127.0.0.1 port 56 tcp rdr oo0 192.168.1.2/32 port 1236 -> 127.0.0.1 port 192 tcp rdr oo0 192.168.1.2/32 port 1237 -> 192.168.0.2 port 152 tcp List of active sessions: List of active host mappings: [And I did this on the 30th!!! with no statistics a day later]] # ipnat -vls mapped in 0 out 0 added 0 expired 0 no memory 0 bad nat 0 inuse 0 rules 6 wilds 0 table 0xbfbfeba8 list 0xc1bc6e00 List of active MAP/Redirect filters: rdr oo0 192.168.1.2/32 port 899 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 21111 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 1238 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 1234 -> 127.0.0.1 port 56 tcp rdr oo0 192.168.1.2/32 port 1236 -> 127.0.0.1 port 192 tcp rdr oo0 192.168.1.2/32 port 1237 -> 192.168.0.2 port 152 tcp List of active sessions: List of active host mappings: # ipnat -C 6 entries flushed from NAT list # ipnat -vls mapped in 0 out 0 added 0 expired 0 no memory 0 bad nat 0 inuse 0 rules 0 wilds 0 table 0xbfbfeba8 list 0x0 List of active MAP/Redirect filters: List of active sessions: List of active host mappings: # ipnat -f /etc/ipnat.rules [Here is a few minutess later....] # ipnat -vls mapped in 14 out 12 added 1 expired 0 no memory 0 bad nat 0 inuse 1 rules 6 wilds 0 table 0xbfbfeba8 list 0xc43f1a00 List of active MAP/Redirect filters: rdr oo0 192.168.1.2/32 port 899 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 21111 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 1238 -> 127.0.0.1 port 99 tcp rdr oo0 192.168.1.2/32 port 1234 -> 127.0.0.1 port 56 tcp rdr oo0 192.168.1.2/32 port 1236 -> 127.0.0.1 port 192 tcp rdr oo0 192.168.1.2/32 port 1237 -> 192.168.0.2 port 152 tcp List of active sessions: RDR 127.0.0.1 99 <- -> 192.168.1.2 899 [16.10.10.211 42666] age 438 use 0 sumd 0xba36/0xba36 pr 6 bkt 251/408 flags 1 drop 0/0 ifp oo0 bytes 8532 pkts 26 List of active host mappings: