From owner-freebsd-net@freebsd.org Sat Apr 7 15:21:31 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1AAE3F9098D for ; Sat, 7 Apr 2018 15:21:31 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv190.fwdcdn.com (frv190.fwdcdn.com [212.42.77.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AB4B57DB60 for ; Sat, 7 Apr 2018 15:21:30 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from [10.10.80.12] (helo=frv196.fwdcdn.com) by frv190.fwdcdn.com with esmtp ID 1f4pLF-000CnK-0V for freebsd-net@freebsd.org; Sat, 07 Apr 2018 18:01:21 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To: Subject:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ONyXiO3kmPyS6CJ8KWw6T2803frBHzdoblU4hYVLiAY=; b=neud86ElSogEmUsGEzdfFmWZR1 lP6abNGIPsuiMCySp3kvR/E2JqSk26Eehiv9Hf4vDQe2aNOF1pNSpYr4T43fzZttflGGDuocScMlm Dc+l6I8XHYkj9SjxcVrqoVeVhzNdI/iw/Nq/jXJOi+rnabzJpdzgwl5F0LNdb2ask1lY=; Received: from [10.10.10.52] (helo=frv52.fwdcdn.com) by frv196.fwdcdn.com with smtp ID 1f4pL7-000NEE-9P for freebsd-net@freebsd.org; Sat, 07 Apr 2018 18:01:13 +0300 Date: Sat, 07 Apr 2018 18:01:13 +0300 From: wishmaster Subject: Re[2]: Questions about ipfw's dynamic rules' dyn_keepalive To: ml@netfence.it Cc: freebsd-net@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1523113095.663460514.l5y2tucy@frv52.fwdcdn.com> In-Reply-To: <07ab14c5-466d-2d7e-9447-6b7d1e9bd823@netfence.it> References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> <07ab14c5-466d-2d7e-9447-6b7d1e9bd823@netfence.it> X-Reply-Action: reply Received: from artemrts@ukr.net by frv52.fwdcdn.com; Sat, 07 Apr 2018 18:01:13 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Apr 2018 15:21:31 -0000 --- Original Message --- From: "Andrea Venturoli" Date: 7 April 2018, 17:19:00 > On 04/03/18 12:54, Andrey V. Elsukov wrote: > > On 03.04.2018 13:45, Andrey V. Elsukov wrote: > >>> Can anybody give any hint about the above behaviours or point me to good > >>> documentation? The man pages is very brief on this, unfortunately. > >> > >> Hi, > > Thanks for your answer. > > > > >> ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus > >> keep-alive packets are sent bypass the rules. When you use NAT, I guess > >> keep-alive packets have private source address, because they are not go > >> through the NAT rule. And because of this remote host drops them without > >> reply. > > If this is the reason, since I run tcpdump on the client (internal > network) I should have seen them arriving, shouldn't I? > > > > > You can try this patch: > > > > https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff > > > > It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can > > control the behavior of M_SKIP_FIREWALL flag. > > It seems this is a patch against HEAD and it doesn't apply cleanly to > 11.1R. Unfortunately the file it modifies seems to have changed a lot > and I don't know how to adapt this. > > Is there a plan to get this patch in the source in the future? > If not, why? Are there any disadvantages? I have tested this patch (with some modifications) and with this patch ipfw works as expected for users behind NAT without any side effects. --- Vitaly