From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 12 16:20:11 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F945106566B for ; Tue, 12 Jul 2011 16:20:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4FDF08FC12 for ; Tue, 12 Jul 2011 16:20:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p6CGKACf035623 for ; Tue, 12 Jul 2011 16:20:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p6CGKAeb035620; Tue, 12 Jul 2011 16:20:10 GMT (envelope-from gnats) Date: Tue, 12 Jul 2011 16:20:10 GMT Message-Id: <201107121620.p6CGKAeb035620@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Vadim Goncharov Cc: Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vadim Goncharov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 16:20:11 -0000 The following reply was made to PR kern/147720; it has been noted by GNATS. From: Vadim Goncharov To: "skeletor@lissyara.su" Cc: bug-followup@FreeBSD.org Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd Date: Tue, 12 Jul 2011 22:45:47 +0700 Hi skeletor@lissyara.su! On Tue, 21 Jun 2011 07:10:07 GMT; skeletor@lissyara.su wrote: > I tested patch-1.diff and found several problems. When I use 2 channels > my VPN (I use mpd with connect type pptp) stop working. This problem > appears not on all servers. > > Here my results of tests: > > 1) FreeBSD 8.1 amd64 (VPN server), 2 external real IPs - doesn't work VPN > 2) FreeBSD 8.2 i386 , 1 external real IP (second - doesn't real) - > doesn't work connect on second (not real) IP > 3) FreeBSD 8.1 i386 (VPN client), 2 external real IPs - all works fine > 4) FreeBSD 8.2 i386 (VPN client), 1 external real IP (second - doesn't > real) - connect from 2 external IPs works, but doesn't work VPN. This is not really problem with the patch, as PPTP is using not only TCP connection, but also establish a GRE tunnel, independent from that TCP connection from the dynamic rules' point of view. There must be something tracking packet data payload (e.g. libalias-based NAT engine supports this) which will link two connections together. This message, still, does not provide any useful information even to conclude if there some regression with this patch. Personally I think this is the architectural problem with PPTP, and patch was just used in a non-appropriate conditions, i.e. such configuration should be avoided, and patch itself is OK. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]