From owner-freebsd-current@FreeBSD.ORG Thu Dec 18 21:06:27 2008 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D44A106564A for ; Thu, 18 Dec 2008 21:06:27 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by mx1.freebsd.org (Postfix) with ESMTP id 367818FC1B for ; Thu, 18 Dec 2008 21:06:27 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from bcs-mail03.internal.cacheflow.com ([10.2.2.95]) by whisker.bluecoat.com (8.14.2/8.14.2) with ESMTP id mBIKqsrk014557; Thu, 18 Dec 2008 12:52:54 -0800 (PST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 18 Dec 2008 12:53:01 -0800 Message-ID: In-Reply-To: <1229476796.49670.7.camel@shumai.marcuscom.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: NAT (ipfw/natd) broken in latest -CURRENT Thread-Index: Aclf5akQlzlbJJP7TeyBq/+upDnOGQBY3d0g References: <1229476796.49670.7.camel@shumai.marcuscom.com> From: "Li, Qing" To: "Joe Marcus Clarke" Cc: current Subject: RE: NAT (ipfw/natd) broken in latest -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2008 21:06:27 -0000 Hi Joe, I have been trying to recreate your problem but my setup seem to work. I then noticed in your original netstat output the p2p host route installed by the tunnel interface has the "G" flag set. This will certainly cause a routing problem because that route is not an indirect route. I modified the kernel code to simulate this condition and I do see the error on output, which is expected. I assume this problem is consistently reproducible in your setup ? -- Qing > -----Original Message----- > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > current@freebsd.org] On Behalf Of Joe Marcus Clarke > Sent: Tuesday, December 16, 2008 5:20 PM > To: current > Subject: NAT (ipfw/natd) broken in latest -CURRENT >=20 > I just upgraded my i386 -CURRENT box from November 14 to today, and now > my SSH-over-PPP VPN tunnel no longer works. I did some packet captures, > and it appears that NAT is no longer working. If I send a telnet > packet > from my client side over the PPP tunnel, I see the SYN go out on the > server side network properly translated. The destination host ACKs > correctly, but the ACK never goes back across the tunnel. It's as if > natd is no longer translating the packet on the inbound path. Besides > the upgrade, nothing has changed in my environment. >=20 > My ipfw show looks like: >=20 > 00050 22974 4677637 divert 8668 ip4 from any to any via em0 > 00100 194 20696 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 24714 4934785 allow ip from any to any > 65535 5 396 deny ip from any to any >=20 > I am running natd as: >=20 > /sbin/natd -s -m -skinny_port 2000 -n em0 >=20 > The ifconfig for my tunnel interface is: >=20 > tun0: flags=3D8051 metric 0 mtu 1300 > inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00 > inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5 > Opened by PID 8018 >=20 > My netstat on the server side looks like: >=20 > Internet: > Destination Gateway Flags Refs Use Netif > Expire > default 172.18.254.1 UGS 0 46685 em0 > 10.1.1.76 link#5 UGH 0 1735 tun0 > 127.0.0.1 link#3 UH 0 1171 lo0 > 172.18.254.0/24 link#1 U 0 0 em0 > 172.18.254.237/32 link#1 U 0 8 em0 >=20 > The server's uname is: >=20 > FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT #130: Tue > Dec 16 15:42:09 EST 2008 > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC i386 >=20 > The previous, working uname was: >=20 > FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008 > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC >=20 > Joe >=20 > -- > Joe Marcus Clarke > FreeBSD GNOME Team :: gnome@FreeBSD.org > FreeNode / #freebsd-gnome > http://www.FreeBSD.org/gnome