From owner-freebsd-current@FreeBSD.ORG Mon Sep 10 19:28:31 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D6A516A419 for ; Mon, 10 Sep 2007 19:28:31 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from nxm.secservers.com (nxm.secservers.com [89.185.226.22]) by mx1.freebsd.org (Postfix) with ESMTP id BFA2513C457 for ; Mon, 10 Sep 2007 19:28:30 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (nxm.secservers.com. [89.185.226.22]) by nxm.secservers.com (8.13.4/8.13.8) with ESMTP id l8AJS2EA029015; Mon, 10 Sep 2007 21:28:02 +0200 (CEST) (envelope-from mime@traveller.cz) Message-ID: <46E59AB8.3050005@traveller.cz> Date: Mon, 10 Sep 2007 21:27:52 +0200 From: Michal Mertl User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Max Laier References: <1189445938.1321.5.camel@genius.i.cz> <200709102021.58702.max@love2party.net> In-Reply-To: <200709102021.58702.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org Subject: Re: PF NAT regression X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2007 19:28:31 -0000 Max Laier napsal(a): > On Monday 10 September 2007, Michal Mertl wrote: > >> Hello, >> >> I have recently upgraded 6.2-STABLE based router to -CURRENT kernel and >> I found out the following in /etc/pf.conf does not work anymore: >> >> ext_if="sis0" >> nat on $ext_if from ! ($ext_if) to any -> ($ext_if) >> >> It works again when I change it to: >> >> nat on $ext_if from any to any -> ($ext_if) >> > > Can you show me "ifconfig sis0" and "pfctl -vvvsn" for either rule? It > might be a problem with picking up aliases correctly. You could also try > to limit the nat rule by specifying "inet". A tcpdump on sis0 might also > be helpful to figure out what's going on, as could be "pfctl -xm" to > enable extended debugging on the console. This should print which > address is chosen for any translation. Finally you might want to look at > the rule counters and the state table after trying a couple of > connections I am sorry, I can't reproduce the problem myself anymore :-(. I do not understand how could it have happened - it seemed clear to me before - first version -> no NAT vs. second version -> NAT. I am pretty sure I repeated the test several times. And of course NAT did not work as otherwise I would not be trying to change the ruleset. There is only one IP address on the sis0 interface and it is being assigned by DHCP. If I have problems again I will try to better diagnose the situation. Michal