Date: Thu, 07 Jul 2016 08:43:06 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 210408] Problem with outgoing traffic using ipfw and kernel nat originated from local address Message-ID: <bug-210408-7515-up1p5f9DyF@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-210408-7515@https.bugs.freebsd.org/bugzilla/> References: <bug-210408-7515@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D210408 --- Comment #3 from smithi@nimnet.asn.au --- (In reply to Mark Felder from comment #2) Offhand I can think of three places that could be done: 1) /sbin/ipfw (userland) a) when NAT is configured, eg ipfw nat 123 config [ip address | if iface] .= .. b) when NAT would be first invoked, eg ipfw add [ruleno] nat 123 [condition= /s] 2) /sys/netpfil/ipfw/ip_fw2.c (kernel) when NAT is first actually invoked on a packet on the NAT interface. 3) /sys/netinet/libalias (kernel) (or from userland for natd(8)) on first use of an interface, ie (only) on the first packet processed. (1a) seems unlikely, as 'ip address' may not map to an iface on rule creati= on,=20 and a particular nat config may not even be used, or its rule not encounter= ed. (1b) perhaps, though its config needs consulting, and unless 'if iface' is= =20 specified it may not be straightforward to determine which interface - and= =20 we would only want TSO4 disabled on the NAT interface, not on any others. (1) is userland, so it might be more appropriate to 'call' /sbin/ifconfig f= rom=20 there, though again the address to interface mapping - from routing table/s= I=20 assume - may not already be in place upon ruleset creation. (2) and (3) are in-kernel. Perhaps the new libifconfig (ono) can be used fr= om=20 there, but I've only seen that go by in freebsd-net in passing. This would= =20 require testing for TSO4 being on, then setting it off (-tso or -tso4). Separately, /sbin/ipfw should probably insist on (or change to) 'ipv4' rath= er=20 than 'ip' or 'all' on nat rules, to guard against passing libalias(3) any= =20 ipv6 packets, another potential foot-shot. Just a few thought-bubbles, FWIW .. Ian --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-210408-7515-up1p5f9DyF>