Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Mar 2022 02:33:43 +0200
From:      Peter <pmc@citylink.dinoex.sub.org>
To:        freebsd-stable@freebsd.org
Subject:   13.1: "ipfw forward" TESTCASE for crosscheck
Message-ID:  <YkECZ5GlVPxBsKOp@gate.intra.daemon.contact>
In-Reply-To: <YkDSpdAHoVFyfydk@gate.intra.daemon.contact>

next in thread | previous in thread | raw e-mail | index | archive | help

I did now a testcase, as follows:
===================================================================

root@zwlf:~ # cat /boot/loader.conf
net.fibs="3"
net.inet.ip.fw.default_to_accept=1

root@zwlf:~ # uname -a
FreeBSD zwlf 12.3-RELEASE FreeBSD 12.3-RELEASE r371126 GENERIC  amd64

root@zwlf:~ # kldload ipfw
root@zwlf:~ # ipfw show
65535 31 2392 allow ip from any to any

root@zwlf:~ # ifconfig tun0 create
root@zwlf:~ # ifconfig tun0 inet 1.1.1.1 1.1.1.3
root@zwlf:~ # cat < /dev/tun0 > /dev/null &
[1] 745

root@zwlf:~ # sysctl -a | grep one_pass
net.inet.ip.fw.one_pass: 1

root@zwlf:~ # ipfw add 1 fwd 1.1.1.3 all from any to 2.2.2.2 out

root@zwlf:~ # ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2): 56 data bytes

root@zwlf:~ # tcpdump -nitun0 "host 2.2.2.2"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes
01:50:48.245471 IP 192.168.1.12 > 2.2.2.2: ICMP echo request, id 1027, seq 57, length 64
01:50:49.270479 IP 192.168.1.12 > 2.2.2.2: ICMP echo request, id 1027, seq 58, length 64
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@zwlf:~ # tcpdump -nivtnet0 "host 2.2.2.2"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes

===========================================================================

root@dzhn:~ # cat /boot/loader.conf
net.fibs="3"
net.inet.ip.fw.default_to_accept=1

root@dzhn:~ # uname -a
FreeBSD dzhn 13.1-PRERELEASE FreeBSD 13.1-PRERELEASE #2 local/stable/13-n249898-b64a3b409a5-dirty: Mon Mar  7 03:07:03 CET 2022     root@dzhn:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

root@dzhn:~ # kldload ipfw
root@dzhn:~ # ipfw show
65535 6 496 allow ip from any to any

root@dzhn:~ # ifconfig tun0 create
root@dzhn:~ # ifconfig tun0 inet 1.1.1.1 1.1.1.3
root@dzhn:~ # cat < /dev/tun0 > /dev/null &
[1] 728

root@dzhn:~ # sysctl -a | grep one_pass
net.inet.ip.fw.one_pass: 1

root@dzhn:~ # ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2): 56 data bytes

root@dzhn:~ # tcpdump -nitun0 "host 2.2.2.2"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes

root@dzhn:~ # tcpdump -nivtnet0 "host 2.2.2.2"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:01:46.861543 IP 192.168.1.13 > 2.2.2.2: ICMP echo request, id 60162, seq 34, length 64
02:01:47.876647 IP 192.168.1.13 > 2.2.2.2: ICMP echo request, id 60162, seq 35, length 64

===========================================================================

So far, this does not look like it would work as expected.

But the strangeness is, before I tried to migrate my entire backbone
to Rel. 13 (and now reverted back to 12.3), I did a pilot.
That pilot runs it's traffic via "ipfw forward", all the time, and
it works flawlessly! (And the rulesets are software-generated, they
should be all the same everywhere.)

This is the pilot:

FreeBSD 13.1-STABLE #0 n250057-80a5bb34a50[80a5bb34a50=19b779498ca+22]: Thu Mar 17 19:48:04 CET 2022

And the thing that I just tried to install to the backbone is this
one:
FreeBSD 13.1-STABLE #0 n250124-185a4cbf602[185a4cbf602=6018f775ceb+24]: Sun Mar 27 00:57:26 CET 2022     

This doesn't make sense... there must be something else involved.
So, if You can, please cross-check this testcase.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YkECZ5GlVPxBsKOp>