From owner-freebsd-net@FreeBSD.ORG Mon Aug 9 16:39:02 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4848016A4CE; Mon, 9 Aug 2004 16:39:02 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBB3243D60; Mon, 9 Aug 2004 16:39:01 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 8FC74347BA8; Mon, 9 Aug 2004 18:37:39 +0200 (CEST) Date: Mon, 9 Aug 2004 18:37:39 +0200 From: Pawel Malachowski To: darrenr@freebsd.org Message-ID: <20040809163739.GA95408@shellma.zin.lublin.pl> References: <20040805225408.GA70729@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040805225408.GA70729@shellma.zin.lublin.pl> User-Agent: Mutt/1.4.2i cc: freebsd-net@freebsd.org Subject: Re: ipfilter/ipnat 3.4.35 and udp-traceroute problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 16:39:02 -0000 On Fri, Aug 06, 2004 at 12:54:08AM +0200, Pawel Malachowski wrote: > I can see weird behavior of this command: > traceroute -s privateIP -P UDP dst > Outgoing UDP packets are translated, ICMP time-exceded message comes back, > but traceroute shows '* * *'. ;) v3.4.35 import breaks things on my RELENG_4 box. FYI: With this ruleset, UDP-traceroute doesn't work (ICMP- works): map fxp0 172.27.201.1/24 -> public/32 proxy port ftp ftp/tcp map fxp0 172.27.201.1/24 -> public/32 portmap tcp/udp auto map fxp0 172.27.201.1/24 -> public/32 % traceroute -s 172.27.201.1 -P udp www.yahoo.com traceroute to www.yahoo.akadns.net (216.109.118.74) from 172.27.201.1, 64 hops max, 44 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * *^C % traceroute -s 172.27.201.1 -P icmp www.yahoo.com traceroute to www.yahoo.akadns.net (216.109.118.79) from 172.27.201.1, 64 hops max, 64 byte packets [...] 5 do-war-tr4.tptransit.pl (195.149.232.141) 43.909 ms 36.962 ms 28.713 ms 6 war-b1-pos14-0.telia.net (213.248.79.13) 32.929 ms 45.965 ms 45.940 ms 7 hbg-bb2-pos3-2-0.telia.net (213.248.65.33) 41.702 ms 37.646 ms 47.247 ms 8 kbn-bb2-pos1-2-0.telia.net (213.248.65.126) 45.860 ms 51.259 ms 36.435 ms 9 nyk-bb2-pos5-0-0.telia.net (213.248.64.34) 138.898 ms 136.887 ms^C % ipnat -s mapped in 246213324 out 246453277 added 6502341 expired 6484448 no memory 0 bad nat 530817 inuse 6210 rules 51 wilds 0 After switching map from /24 to /32, it works just fine: map fxp0 172.27.201.1/32 -> public/32 proxy port ftp ftp/tcp map fxp0 172.27.201.1/32 -> public/32 portmap tcp/udp auto map fxp0 172.27.201.1/32 -> public/32 % traceroute -s 172.27.201.1 -P udp www.yahoo.com traceroute to www.yahoo.akadns.net (216.109.117.110) from 172.27.201.1, 64 hops max, 44 byte packets [...] 5 do-war-tr4.tptransit.pl (195.149.232.141) 27.782 ms 55.108 ms 26.856 ms 6 war-b1-pos14-0.telia.net (213.248.79.13) 21.830 ms 34.968 ms 20.804 ms 7 hbg-bb1-pos1-2-0.telia.net (213.248.64.201) 51.748 ms 82.144 ms 74.826 ms 8 kbn-bb1-pos1-2-0.telia.net (213.248.65.145) 108.766 ms 129.979 ms 77.827 ms 9 nyk-bb1-pos0-1-0.telia.net (213.248.64.22) 206.748 ms 125.975 ms 125.788 ms ^C > Another interesting thing: > % ipf -V > ipf: IP Filter: v3.4.31 (336) <= > Kernel: IP Filter: v3.4.35 > [...] > % grep -i ver /usr/src/contrib/ipfilter/ipl.h > #define IPL_VERSION "IP Filter: v3.4.31" > > Newer ipl.h sits happily in vendor branch. regards, -- Paweł Małachowski