From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 13 06:37:10 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1FD4106564A for ; Mon, 13 Jun 2011 06:37:10 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 382288FC0C for ; Mon, 13 Jun 2011 06:37:09 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p5D6Q8o4028082; Mon, 13 Jun 2011 16:26:08 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 13 Jun 2011 16:26:08 +1000 (EST) From: Ian Smith To: Ozkan KIRIK In-Reply-To: <201106130216.p5D2G0df071455@freefall.freebsd.org> Message-ID: <20110613153843.E34384@sola.nimnet.asn.au> References: <201106130216.p5D2G0df071455@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/157796: [ipfw] IPFW in-kernel NAT nat loopback / Default Router Changes Unexpectedly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2011 06:37:10 -0000 On Mon, 13 Jun 2011, linimon@freebsd.org wrote: > http://www.freebsd.org/cgi/query-pr.cgi?pr=157796 Ozkan, I'm not replying to your PR directly as this is purely speculative; I have no idea about your default route changing. However your ruleset raises a couple of possible issues: > When a packet injects into ipfw in-kernel nat more then once, > operating systems behave abnormally. > > Let's inspect the ruleset below: > > ipfw table 12 add 10.0.14.1/32 33 > ipfw table 13 add 193.X.128.30/32 33 > > ipfw nat 33 config redirect_addr 10.0.14.1 193.X.128.30 > ipfw nat 799 config ip 3.3.3.3 reverse > > 55000 nat tablearg ip from table(12) to not 3.3.3.3 via em3 > 55000 nat tablearg ip from any to table(13) via em3 > 55000 nat 799 ip from any to table(13) not via em3 > 55000 nat tablearg ip from 3.3.3.3 to table(13) > 55000 nat tablearg ip from table(12) to 3.3.3.3 > 55000 nat 799 ip from table(13) to 3.3.3.3 Firstly, if ipfw nat behaves the same as divert+natd in this respect, and assuming net.inet.ip.fw.one_pass=0 from your description, then any nat diversion would result in reentry of the ruleset at the next rule with a higher rule number, not at the next sequential rule with the same number. I've never been certain whether that's also true with ipfw nat, but renumbering subsequent rules as 55001 etc would soon rule that out. Secondly, I assume you're aware that 'via em3' on any outbound packets applies to packets that were either received on or are being transmitted on em3? It's often better to disambiguate 'via' with 'recv' and 'xmit'. HTH, Ian