From nobody Mon Mar 28 00:33:43 2022 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BB5CD1A466D8 for ; Mon, 28 Mar 2022 00:45:36 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.org (uucp.dinoex.org [IPv6:2a0b:f840::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "uucp.dinoex.sub.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRYrv0CHRz4W3W for ; Mon, 28 Mar 2022 00:45:34 +0000 (UTC) (envelope-from pmc@citylink.dinoex.sub.org) Received: from uucp.dinoex.sub.de (uucp.dinoex.org [185.220.148.12]) by uucp.dinoex.org (8.17.1/8.17.1) with ESMTPS id 22S0j4QQ044426 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Mon, 28 Mar 2022 02:45:04 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) X-MDaemon-Deliver-To: X-Authentication-Warning: uucp.dinoex.sub.de: Host uucp.dinoex.org [185.220.148.12] claimed to be uucp.dinoex.sub.de Received: (from uucp@localhost) by uucp.dinoex.sub.de (8.17.1/8.17.1/Submit) with UUCP id 22S0j4DK044424 for freebsd-stable@freebsd.org; Mon, 28 Mar 2022 02:45:04 +0200 (CEST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from gate.intra.daemon.contact (gate-e [192.168.98.2]) by citylink.dinoex.sub.de (8.16.1/8.16.1) with ESMTP id 22S0YNNG047942 for ; Mon, 28 Mar 2022 02:34:23 +0200 (CEST) (envelope-from peter@gate.intra.daemon.contact) Received: from gate.intra.daemon.contact (gate-e [192.168.98.2]) by gate.intra.daemon.contact (8.16.1/8.16.1) with ESMTPS id 22S0XhBM047729 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Mon, 28 Mar 2022 02:33:45 +0200 (CEST) (envelope-from peter@gate.intra.daemon.contact) Received: (from peter@localhost) by gate.intra.daemon.contact (8.16.1/8.16.1/Submit) id 22S0XhOv047728 for freebsd-stable@freebsd.org; Mon, 28 Mar 2022 02:33:43 +0200 (CEST) (envelope-from peter) Date: Mon, 28 Mar 2022 02:33:43 +0200 From: Peter To: freebsd-stable@freebsd.org Subject: 13.1: "ipfw forward" TESTCASE for crosscheck Message-ID: List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Milter: Spamilter (Reciever: uucp.dinoex.sub.de; Sender-ip: 185.220.148.12; Sender-helo: uucp.dinoex.sub.de;) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (uucp.dinoex.org [185.220.148.12]); Mon, 28 Mar 2022 02:45:07 +0200 (CEST) X-Rspamd-Queue-Id: 4KRYrv0CHRz4W3W X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of pmc@citylink.dinoex.sub.org designates 2a0b:f840::12 as permitted sender) smtp.mailfrom=pmc@citylink.dinoex.sub.org X-Spamd-Result: default: False [-3.13 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.94)[-0.937]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; HAS_XAW(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.91)[-0.912]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_NONE(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.985]; DMARC_NA(0.00)[sub.org]; MLMMJ_DEST(0.00)[freebsd-stable]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:205376, ipnet:2a0b:f840::/32, country:DE]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N I did now a testcase, as follows: =================================================================== root@zwlf:~ # cat /boot/loader.conf net.fibs="3" net.inet.ip.fw.default_to_accept=1 root@zwlf:~ # uname -a FreeBSD zwlf 12.3-RELEASE FreeBSD 12.3-RELEASE r371126 GENERIC amd64 root@zwlf:~ # kldload ipfw root@zwlf:~ # ipfw show 65535 31 2392 allow ip from any to any root@zwlf:~ # ifconfig tun0 create root@zwlf:~ # ifconfig tun0 inet 1.1.1.1 1.1.1.3 root@zwlf:~ # cat < /dev/tun0 > /dev/null & [1] 745 root@zwlf:~ # sysctl -a | grep one_pass net.inet.ip.fw.one_pass: 1 root@zwlf:~ # ipfw add 1 fwd 1.1.1.3 all from any to 2.2.2.2 out root@zwlf:~ # ping 2.2.2.2 PING 2.2.2.2 (2.2.2.2): 56 data bytes root@zwlf:~ # tcpdump -nitun0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes 01:50:48.245471 IP 192.168.1.12 > 2.2.2.2: ICMP echo request, id 1027, seq 57, length 64 01:50:49.270479 IP 192.168.1.12 > 2.2.2.2: ICMP echo request, id 1027, seq 58, length 64 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel root@zwlf:~ # tcpdump -nivtnet0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes =========================================================================== root@dzhn:~ # cat /boot/loader.conf net.fibs="3" net.inet.ip.fw.default_to_accept=1 root@dzhn:~ # uname -a FreeBSD dzhn 13.1-PRERELEASE FreeBSD 13.1-PRERELEASE #2 local/stable/13-n249898-b64a3b409a5-dirty: Mon Mar 7 03:07:03 CET 2022 root@dzhn:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 root@dzhn:~ # kldload ipfw root@dzhn:~ # ipfw show 65535 6 496 allow ip from any to any root@dzhn:~ # ifconfig tun0 create root@dzhn:~ # ifconfig tun0 inet 1.1.1.1 1.1.1.3 root@dzhn:~ # cat < /dev/tun0 > /dev/null & [1] 728 root@dzhn:~ # sysctl -a | grep one_pass net.inet.ip.fw.one_pass: 1 root@dzhn:~ # ping 2.2.2.2 PING 2.2.2.2 (2.2.2.2): 56 data bytes root@dzhn:~ # tcpdump -nitun0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes root@dzhn:~ # tcpdump -nivtnet0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:01:46.861543 IP 192.168.1.13 > 2.2.2.2: ICMP echo request, id 60162, seq 34, length 64 02:01:47.876647 IP 192.168.1.13 > 2.2.2.2: ICMP echo request, id 60162, seq 35, length 64 =========================================================================== So far, this does not look like it would work as expected. But the strangeness is, before I tried to migrate my entire backbone to Rel. 13 (and now reverted back to 12.3), I did a pilot. That pilot runs it's traffic via "ipfw forward", all the time, and it works flawlessly! (And the rulesets are software-generated, they should be all the same everywhere.) This is the pilot: FreeBSD 13.1-STABLE #0 n250057-80a5bb34a50[80a5bb34a50=19b779498ca+22]: Thu Mar 17 19:48:04 CET 2022 And the thing that I just tried to install to the backbone is this one: FreeBSD 13.1-STABLE #0 n250124-185a4cbf602[185a4cbf602=6018f775ceb+24]: Sun Mar 27 00:57:26 CET 2022 This doesn't make sense... there must be something else involved. So, if You can, please cross-check this testcase.