Date: Sun, 02 Oct 2016 05:06:56 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 213154] ipfw nat single pass with ipfw netgraph multi pass Message-ID: <bug-213154-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213154 Bug ID: 213154 Summary: ipfw nat single pass with ipfw netgraph multi pass Product: Base System Version: 11.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: avernar@gmail.com Created attachment 175361 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D175361&action= =3Dedit Proposed patch It is very difficult to get ipfw nat to work with stateful firewall (keep-s= tate and check-state) in multi pass mode. The issue is that the state rules hav= e to come after the nat rules. This makes keep-state see the external IP while check-state sees the internal IP and it doesn't work. Easier just to use single pass. Unfortunately you can't use single pass with certain netgraph nodes like tcpmss. The packets need to come back. So I propose we add an additional net.inet.ip.fw.one_pass_nat knob to enable one pass nat when net.inet.ip.fw.one_pass is set to 0 for netgraph, pipes a= nd queues. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-213154-8>