From owner-freebsd-net@freebsd.org  Mon Nov 30 09:10:34 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0374C474354
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Mon, 30 Nov 2020 09:10:34 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CkzwT1NRpz4mdF;
 Mon, 30 Nov 2020 09:10:32 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 0AU9ANVu039425
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 30 Nov 2020 09:10:26 GMT (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: freebsd-net@freebsd.org
Received: from [10.58.0.10] (dadvw [10.58.0.10])
 by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 0AU9AHYH034371
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
 Mon, 30 Nov 2020 16:10:17 +0700 (+07)
 (envelope-from eugen@grosbein.net)
To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Cc: "Alexander V. Chernikov" <melifaro@freebsd.org>,
 "Andrey V. Elsukov" <ae@FreeBSD.org>
From: Eugene Grosbein <eugen@grosbein.net>
Subject: ipfw nat bug
Message-ID: <4c530439-32fe-0e67-ad1a-faafe0cfbeb9@grosbein.net>
Date: Mon, 30 Nov 2020 16:10:03 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,
 SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 4CkzwT1NRpz4mdF
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-3.10 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 ARC_NA(0.00)[]; FREEFALL_USER(0.00)[eugen];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f8:c2c:26d8::2:from];
 MID_RHS_MATCH_FROM(0.00)[];
 SPAMHAUS_ZRD(0.00)[2a01:4f8:c2c:26d8::2:from:127.0.2.255];
 RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_SPF_PERMFAIL(0.00)[empty SPF record];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2020 09:10:34 -0000

Hi!

It seems I'm facing a bug in NAT44 ipfw nat/libalias implementation.

Suppose we have a LAN 192.168.0.0/24 and two WAN channels with public IP addresses
and internal server 192.168.0.100 that serves connection to the port 5060, both TCP and UDP,
so we configure redirects:

nat 1 config if vlan1 reset same_ports \
  redirect_port tcp 192.168.0.100:5060 5060
  redirect_port udp 192.168.0.100:5060 5060

Same for nat 2 and vlan 2. And it works just fine.

Then, this server 192.168.0.100 makes *outgoing* connection to external host A and udp port 5060,
same_ports keeps outgoing port 5060 and it works fine, too.

Now, this server 192.168.0.100 makes second outgoing UDP connection over same WAN
to different external IP address using same NAT instance.

The source port get changed to dynamic one and here we have a problem:
incoming UDP response is NOT translated with a rule:

nat 1 ip from any to any in recv vlan1

So, this UDP packet is not delivered to 192.168.0.100 but local delivery is performed
resulting in ICMP port unreachable.

16:06:23.232792 IP X.X.X.X.60949 > Y.Y.Y.Y.5060: SIP: OPTIONS sip:AAA@BBB SIP/2.0
16:06:23.249020 IP Y.Y.Y.Y.5060 > X.X.X.X.60949: SIP: SIP/2.0 200 OK
16:06:23.249062 IP X.X.X.X > Y.Y.Y.Y: ICMP X.X.X.X udp port 60949 unreachable, length 36

Two questions: is it right that dynamic port is used for second connection to different host
and how do I fix this?