From owner-freebsd-stable  Sun Sep 20 12:32:44 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA21702
          for freebsd-stable-outgoing; Sun, 20 Sep 1998 12:32:44 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from shell2.ba.best.com (shell2.ba.best.com [206.184.139.133])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21621
          for <freebsd-stable@freebsd.org>; Sun, 20 Sep 1998 12:32:20 -0700 (PDT)
          (envelope-from asaddi@philosophysw.com)
Received: from localhost (asaddi@localhost)
	by shell2.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id MAA18094
	for <freebsd-stable@freebsd.org>; Sun, 20 Sep 1998 12:31:49 -0700 (PDT)
X-Authentication-Warning: shell2.ba.best.com: asaddi owned process doing -bs
Date: Sun, 20 Sep 1998 12:31:49 -0700 (PDT)
From: Allan Saddi <asaddi@philosophysw.com>
X-Sender: asaddi@shell2.ba.best.com
To: freebsd-stable@FreeBSD.ORG
Subject: Yet more natd problems
Message-ID: <Pine.BSF.4.02A.9809201231150.15926-100000@shell2.ba.best.com>
Organization: Philosophy SoftWorks
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This seems to be a popular topic on -stable lately. ;)

I cvsupped on September 18th, at approximately 1:10 am PDT. I made world and
rebuilt my kernel (w/o making any changes to the kernel config file i.e. I
didn't activate bridging or dummynet) about a day later.

This is my topology:

  utopia de0--------ed0 europa ed1---------ISDN router


I run natd by setting the appropriate values in rc.conf, namely:

natd_enable="YES"                # Enable natd if firewall_enable.
natd_interface="ed1"           # Public interface to use with natd if natd_enabl
e.
natd_flags="-redirect_port udp utopia:27901 27901"                   # Additiona
l flags for natd.

(Yes, that redirect is for Quake2 ;)


This is what I did: I set up utopia to monitor icmp packets on its de0
interface. Similarly, I set up europa to monitor packets on its ed1
interface. On utopia, I ping'ed a non-local destination. I gathered the
following output:

utopia: {101} ifconfig de0
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.42.17 netmask 0xfffffff0 broadcast 192.168.42.31
        ether 00:80:c8:47:47:c5 
        media: autoselect (10baseT/UTP) status: active
        supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP

europa: {101} ifconfig ed0
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.42.19 netmask 0xfffffff0 broadcast 192.168.42.31
        ether 00:80:c8:4d:ae:c7 
europa: {102} ifconfig ed1
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.0.3 netmask 0xfffffff0 broadcast 10.0.0.15
        ether 00:80:c8:49:0d:c2 

europa# ipfw show
00050          0          0 deny ip from 192.168.42.30 to not 192.168.42.16/28
00100          5        531 divert 8668 ip from any to any via ed1
00100          0          0 allow ip from any to any via lo0
00200          0          0 deny ip from any to 127.0.0.0/8
65000         84       6787 allow ip from any to any
65535          0          0 deny ip from any to any

utopia: {110} ping 171.69.192.182
PING 171.69.192.182 (171.69.192.182): 56 data bytes
^C
--- 171.69.192.182 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

utopia# tcpdump -n -i de0 icmp
tcpdump: listening on de0
12:03:43.478860 192.168.42.17 > 171.69.192.182: icmp: echo request
12:03:44.482127 192.168.42.17 > 171.69.192.182: icmp: echo request
12:03:45.492098 192.168.42.17 > 171.69.192.182: icmp: echo request
12:03:46.503055 192.168.42.17 > 171.69.192.182: icmp: echo request
^C
15 packets received by filter
0 packets dropped by kernel

europa# tcpdump -n -i ed1
tcpdump: listening on ed1
12:03:43.257038 192.168.42.17 > 171.69.192.182: icmp: echo request
12:03:44.260680 192.168.42.17 > 171.69.192.182: icmp: echo request
12:03:45.271052 192.168.42.17 > 171.69.192.182: icmp: echo request
12:03:46.282416 192.168.42.17 > 171.69.192.182: icmp: echo request
^C
4 packets received by filter
0 packets dropped by kernel

europa# ipfw show
00050          0          0 deny ip from 192.168.42.30 to not 192.168.42.16/28
00100          5        531 divert 8668 ip from any to any via ed1
00100          0          0 allow ip from any to any via lo0
00200          0          0 deny ip from any to 127.0.0.0/8
65000         89       7187 allow ip from any to any
65535          0          0 deny ip from any to any


I'm not much of a kernel hacker, but it seems to me that the packets from
utopia aren't being diverted at all, as evidenced by the counters. Also,
the outgoing packets on the europa's ed1 interface haven't been aliased
at all.

I hope this helps to hunt down the bug. (From this, I would think the problem
would be somewhere in the kernel portion of ipfirewall.)

-- 
Allan Saddi                         "The Earth is the cradle of mankind,
asaddi@philosophysw.com              but we cannot live in the cradle
http://www.philosophysw.com/asaddi/  forever." - K.E. Tsiolkovsky


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message