From owner-freebsd-ipfw@FreeBSD.ORG  Thu Oct  6 11:33:13 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 353BD1065670;
	Thu,  6 Oct 2011 11:33:13 +0000 (UTC)
	(envelope-from melifaro@yandex-team.ru)
Received: from forward9.mail.yandex.net (forward9.mail.yandex.net
	[77.88.61.48]) by mx1.freebsd.org (Postfix) with ESMTP id ADAC38FC1B;
	Thu,  6 Oct 2011 11:33:12 +0000 (UTC)
Received: from smtpcorp2.mail.yandex.net (smtpcorp2.mail.yandex.net
	[77.88.61.36])
	by forward9.mail.yandex.net (Yandex) with ESMTP id 3F23ACE1F11;
	Thu,  6 Oct 2011 15:17:39 +0400 (MSD)
Received: from smtpcorp2.mail.yandex.net (localhost [127.0.0.1])
	by smtpcorp2.mail.yandex.net (Yandex) with ESMTP id 3474D740110;
	Thu,  6 Oct 2011 15:17:39 +0400 (MSD)
Received: from dhcp170-36-red.yandex.net (dhcp170-36-red.yandex.net
	[95.108.170.36])
	by smtpcorp2.mail.yandex.net (nwsmtp/Yandex) with ESMTP id HdLOxvp2;
	Thu,  6 Oct 2011 15:17:39 +0400
Message-ID: <4E8D8DF2.8060309@yandex-team.ru>
Date: Thu, 06 Oct 2011 15:16:02 +0400
From: "Alexander V. Chernikov" <melifaro@yandex-team.ru>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.9.2.18) Gecko/20111005 Thunderbird/3.1.11
MIME-Version: 1.0
To: Oleg Strizhak <oleg@pcbtech.ru>
References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org>
	<4E8D860F.2030505@pcbtech.ru>
In-Reply-To: <4E8D860F.2030505@pcbtech.ru>
Content-Type: multipart/mixed; boundary="------------020200020808050701040903"
Cc: "Andrey V. Elsukov" <ae@FreeBSD.org>, melifaro@FreeBSD.org,
	freebsd-ipfw@FreeBSD.org
Subject: Re: ipfw nat drops icmp packets from localhost
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2011 11:33:13 -0000

This is a multi-part message in MIME format.
--------------020200020808050701040903
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 7bit

On 06.10.2011 14:42, Oleg Strizhak wrote:
> Hello, Andrey V. Elsukov!
> 
> You wrote on 06.10.2011 at 13:38:
> 
>> On 06.10.2011 12:29, Oleg Strizhak wrote:
>>> After an investigation I've found out a very strange situation - it
>>> seems to me, that ipfw nat drops
>>> some (type 11?) icmp reply packets, whose udp request packets it
>>> hasn't rewritten/seen before, e.g:
>>>
>>> So, I wonder whether someone else has seen the same case under the
>>> similar circumstances? Isn't it a
>>> bug within ipfw nat module and is there any work-around/patch for
>>> that? I've surely googled, but in
>>> vain =( The only thing, that seems alike to my problem, is
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=129093, but the patch for
>>> 8 branch didn't cure anything =(
>>
>> Can you describe how you did apply and test this patch?
> 
> in a usual way =) Unfortunately, copy-pasted from the mentioned above
> page patch couldn't be applied w/ error:

svn diff -c 223835 svn://svn.freebsd.org/base/stable/8 > ~/r223835.diff
Can you try the patch attached (just to be sure) ?

This is exact situation from this (and some related PRs) and this
revision definitely fixes it.

Btw, what is the value of net.inet.ip.fw.one_pass sysctl ?
Are you sure that ipfw is the single enabled firewall on this machine ?
Are you sure that system is using new kernel ?


> 
>> $ patch < ~/ip_fw_nat.patch
>> Hmm...  Looks like a unified diff to me...
>> The text leading up to this was:
>> --------------------------
>> |--- stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 08:33:58
>> 2011 (r223834)
>> |+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 09:29:11
>> 2011 (r223835)
>> --------------------------
>> Patching file ip_fw_nat.c using Plan A...
>> patch: **** malformed patch at line 4: else
> 
> the same results were obtained with combinations of -p5 -l and tail +2
> ~/ip_fw_nat.patch options & commands
> Finally, I modified the patch (which applies w/o a word =) a little bit
> w/o any difference to the original one:
> 
>>  $ /usr/bin/diff -wBbu3 ~/ip_fw_nat.patch ~/ip_fw_nat.patch.my
>> --- /root/ip_fw_nat.patch       2011-10-04 14:08:32.000000000 +0400
>> +++ /root/ip_fw_nat.patch.my    2011-10-04 14:29:53.000000000 +0400
>> @@ -1,5 +1,5 @@
>> ---- stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 08:33:58
>> 2011 (r223834)
>> -+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 09:29:11
>> 2011 (r223835)
>> +--- ip_fw_nat.c.orig   2010-12-21 20:09:25.000000000 +0300
>> ++++ ip_fw_nat.c        2011-10-04 14:27:02.000000000 +0400
>>  @@ -263,17 +263,27 @@
>>  else
>>  retval = LibAliasOut(t->lib, c,
> 
> then I recompiled the kernel, rebooted server and.. all is just the same =(
> 
> WBR,
> Oleg
> 


--------------020200020808050701040903
Content-Type: text/plain;
 name="r223835.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="r223835.diff"

Index: sys/netinet/ipfw/ip_fw_nat.c
===================================================================
--- sys/netinet/ipfw/ip_fw_nat.c	(revision 223834)
+++ sys/netinet/ipfw/ip_fw_nat.c	(revision 223835)
@@ -263,17 +263,27 @@
 	else
 		retval = LibAliasOut(t->lib, c,
 			mcl->m_len + M_TRAILINGSPACE(mcl));
-	if (retval == PKT_ALIAS_RESPOND) {
-		m->m_flags |= M_SKIP_FIREWALL;
-		retval = PKT_ALIAS_OK;
-	}
-	if (retval != PKT_ALIAS_OK &&
-	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+	/*
+	 * We drop packet when:
+	 * 1. libalias returns PKT_ALIAS_ERROR;
+	 * 2. For incoming packets:
+	 *	a) for unresolved fragments;
+	 *	b) libalias returns PKT_ALIAS_IGNORED and
+	 *		PKT_ALIAS_DENY_INCOMING flag is set.
+	 */
+	if (retval == PKT_ALIAS_ERROR ||
+	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+	    (retval == PKT_ALIAS_IGNORED &&
+	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
 		/* XXX - should i add some logging? */
 		m_free(mcl);
 		args->m = NULL;
 		return (IP_FW_DENY);
 	}
+
+	if (retval == PKT_ALIAS_RESPOND)
+		m->m_flags |= M_SKIP_FIREWALL;
 	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
 
 	/*

Property changes on: sys/contrib/pf
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/contrib/pf:r222806


Property changes on: sys/contrib/dev/acpica
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/contrib/dev/acpica:r222806


Property changes on: sys/cddl/contrib/opensolaris
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/cddl/contrib/opensolaris:r222806


Property changes on: sys/amd64/include/xen
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/amd64/include/xen:r222806


Property changes on: sys
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys:r222806


--------------020200020808050701040903--