From owner-freebsd-current@FreeBSD.ORG Wed Dec 17 15:34:53 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57DA01065674 for ; Wed, 17 Dec 2008 15:34:53 +0000 (UTC) (envelope-from marcus@freebsd.org) Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by mx1.freebsd.org (Postfix) with ESMTP id 1DB0D8FC19 for ; Wed, 17 Dec 2008 15:34:52 +0000 (UTC) (envelope-from marcus@freebsd.org) X-TACSUNS: Virus Scanned Received: from rooster.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id mBHFYY9V028278; Wed, 17 Dec 2008 10:34:39 -0500 (EST) Received: from [64.102.220.171] (dhcp-64-102-220-171.cisco.com [64.102.220.171]) by rooster.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id mBHFYIhK002867; Wed, 17 Dec 2008 10:34:25 -0500 (EST) Message-ID: <49491BFA.5090605@freebsd.org> Date: Wed, 17 Dec 2008 10:34:18 -0500 From: Joe Marcus Clarke Organization: FreeBSD, Inc. User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: Marko Zec References: <1229476796.49670.7.camel@shumai.marcuscom.com> <4948C7BE.7070602@oltrelinux.com> <200812171148.38528.zec@icir.org> In-Reply-To: <200812171148.38528.zec@icir.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org Subject: Re: NAT (ipfw/natd) broken in latest -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2008 15:34:53 -0000 Marko Zec wrote: > On Wednesday 17 December 2008 10:34:54 Paolo Pisati wrote: >> Joe Marcus Clarke wrote: >>> I just upgraded my i386 -CURRENT box from November 14 to today, and >>> now my SSH-over-PPP VPN tunnel no longer works. I did some packet >>> captures, and it appears that NAT is no longer working. If I send >>> a telnet packet from my client side over the PPP tunnel, I see the >>> SYN go out on the server side network properly translated. The >>> destination host ACKs correctly, but the ACK never goes back across >>> the tunnel. It's as if natd is no longer translating the packet on >>> the inbound path. Besides the upgrade, nothing has changed in my >>> environment. >> lately some work has been done on the vimage and routing tree stuff, >> thus your best bet is to go back >> some days and try again. > > Hi Joe, > > could you try building your kernel with options VIMAGE_GLOBALS and tell > us whether this makes any difference - turning on VIMAGE_GLOBALS should > revert certain aspects of virtualization changes that recently got > merged into the tree. Thanks for the suggestion, but the results are the same. I turned on -verbose on natd, and I see the ACK packet come back from the destination, and natd is translating it correctly. However, I never see the ACK on the remote end of the tunnel. It looks like a routing problem at this point. It's as if the kernel doesn't know on what interface to encapsulate the reply packet. Joe > > Cheers, > > Marko > > -- Joe Marcus Clarke FreeBSD GNOME Team :: gnome@FreeBSD.org FreeNode / #freebsd-gnome http://www.FreeBSD.org/gnome