From owner-freebsd-bugs@freebsd.org  Sun Oct  2 05:06:56 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66EEFAC6E3E
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Sun,  2 Oct 2016 05:06:56 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 56B35F18
 for <freebsd-bugs@FreeBSD.org>; Sun,  2 Oct 2016 05:06:56 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u9256uGV090860
 for <freebsd-bugs@FreeBSD.org>; Sun, 2 Oct 2016 05:06:56 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 213154] ipfw nat single pass with ipfw netgraph multi pass
Date: Sun, 02 Oct 2016 05:06:56 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: avernar@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-213154-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Oct 2016 05:06:56 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213154

            Bug ID: 213154
           Summary: ipfw nat single pass with ipfw netgraph multi pass
           Product: Base System
           Version: 11.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: avernar@gmail.com

Created attachment 175361
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D175361&action=
=3Dedit
Proposed patch

It is very difficult to get ipfw nat to work with stateful firewall (keep-s=
tate
and check-state) in multi pass mode.  The issue is that the state rules hav=
e to
come after the nat rules.  This makes keep-state see the external IP while
check-state sees the internal IP and it doesn't work.  Easier just to use
single pass.

Unfortunately you can't use single pass with certain netgraph nodes like
tcpmss.  The packets need to come back.

So I propose we add an additional net.inet.ip.fw.one_pass_nat knob to enable
one pass nat when net.inet.ip.fw.one_pass is set to 0 for netgraph, pipes a=
nd
queues.

--=20
You are receiving this mail because:
You are the assignee for the bug.=