Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 07 Sep 2019 23:11:55 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 240400] ipnat not working some time after a lot of calls to the "map" or "rdr" rules (drop packets)
Message-ID:  <bug-240400-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D240400

            Bug ID: 240400
           Summary: ipnat not working some time after a lot of calls to
                    the "map" or "rdr" rules (drop packets)
           Product: Base System
           Version: 11.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: dym@afalina.od.ua

#uname -a
FreeBSD test 11.2-RELEASE-p14 FreeBSD 11.2-RELEASE-p14 #0 r351966: Sat Sep =
 7
01:29:14 CEST 2019 GENERIC  amd64

# cat messages | grep "IP Filter"
kernel: IP Filter: v5.1.2 initialized.  Default =3D pass all, Logging =3D e=
nabled=20

# cat ipf.rules
pass in quick all
pass out quick all

# cat ipnat.rules
rdr igb0 xxx.xxx.xxx.xxx/32 port 80 -> yyy.yyy.yyy.yyy port 80
rdr igb0 xxx.xxx.xxx.xxx/32 port 443 -> yyy.yyy.yyy.yyy port 443
map igb0 xxx.xxx.xxx.xxx/32 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32 portmap tcp/udp 40000:50000
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32

xxx.xxx.xxx.xxx -- IP on WAN interface igb0
yyy.yyy.yyy.yyy -- IP on LAN machine with http service
yyy.yyy.yyy.0/24 -- LAN

Some time after a lot of calls to the map rules:
# ipfstat | egrep 'NAT failure'
158     input block reason IPv4 NAT failure
0       input block reason IPv6 NAT failure
0       output block reason IPv4 NAT failure
0       output block reason IPv6 NAT failure

Some time after a lot of calls to the rdr rules:
# ipfstat | egrep 'NAT failure'
159     input block reason IPv4 NAT failure
0       input block reason IPv6 NAT failure
267     output block reason IPv4 NAT failure
0       output block reason IPv6 NAT failure

It is present both with the GENERIC kernel and a freshly installed system, =
and
with a rebuilded kernel and world.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-240400-227>