Date: Wed, 10 Apr 2002 13:47:28 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: <cjclark@alum.mit.edu> Cc: <freebsd-bugs@FreeBSD.ORG> Subject: RE: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state Message-ID: <LPBBIGIAAKKEOEJOLEGOOELFCNAA.barbish@a1poweruser.com> In-Reply-To: <20020409231719.C34659@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris you replied with the following OK, serious deja vu. Didn't we go through this once before? Every single one of the 'keep-state' rules is for packets crossing the tun0 interface and only the tun0 interface. This won't work. As we see in the rules that get created. All of the rules outgoing packets that trigger the keep-state rules have a source of the aliased address. When they come back in, they are translated by the 'divert' rule, 00200, before they hit the 'check-state' rule. They have a 10.0.10.0/29 address after 00200, so they match no dynamic rule, fall through the list, and get dropped. And I say SO WHAT'S YOUR POINT? You have not done anything but point out that divert natd does not work with keep-state rules just like I said. The ipfw divert natd rule is in the rc.firewall sample implies it can be used on any interface. If I code this same rule set using stateless rules and simple stateful setup/established rules the divert nated works just fine using tun0, just like in the rc.firewall sample. [[[This is not a question of which interface is being used, but one of which ip address (private or public) is being posted in the dynamic rules table and the ipfw divert natd function lacking the knowledge that dynamic rules are enabled, and modifying it's behavior to accommodate this fact.]]] My PR is saying the ipfw divert natd function does not work using advanced stateful rules which build entries in the dynamic rules table, and the test documentation I sent you prove it. Fix the ipfw divert natd function so it is aware when advanced stateful rules are in use, or change the ipfw divert natd documentation to say it does not work in a ipfw rule set that contains any rules that use the keep/state option. This is an oversight that should have been address when the keep-state option was first introduced. I do not think you should have closed this PR. I want an second opinion. Please reopen the pr, post our email correspondences to it, and email the other IPFW team members to review the pr. There is a problem here even if you can not see it. Other people's eyes and minds may have a different perspective of the test results. It's time to move this up the hill to get additional view points besides just yours. Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOOELFCNAA.barbish>