From owner-freebsd-current@FreeBSD.ORG Sat Dec 26 21:24:10 2009 Return-Path: Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19E8A106568D; Sat, 26 Dec 2009 21:24:10 +0000 (UTC) (envelope-from marcus@FreeBSD.org) Received: from creme-brulee.marcuscom.com (marcuscom-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::1279]) by mx1.freebsd.org (Postfix) with ESMTP id A4C388FC17; Sat, 26 Dec 2009 21:24:09 +0000 (UTC) Received: from [IPv6:2001:470:1f00:2464::4] (shumai.marcuscom.com [IPv6:2001:470:1f00:2464::4]) by creme-brulee.marcuscom.com (8.14.3/8.14.3) with ESMTP id nBQLOPTb086720; Sat, 26 Dec 2009 16:24:25 -0500 (EST) (envelope-from marcus@FreeBSD.org) From: Joe Marcus Clarke To: Luigi Rizzo In-Reply-To: <20091226212104.GA10498@onelab2.iet.unipi.it> References: <1261859138.1555.26.camel@shumai.marcuscom.com> <20091226212104.GA10498@onelab2.iet.unipi.it> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-HQjnCQwWbjiTOqHYuCF4" Organization: FreeBSD, Inc. Date: Sat, 26 Dec 2009 16:24:10 -0500 Message-ID: <1261862650.1555.28.camel@shumai.marcuscom.com> Mime-Version: 1.0 X-Mailer: Evolution 2.28.2 FreeBSD GNOME Team Port X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on creme-brulee.marcuscom.com Cc: luigi@FreeBSD.org, FreeBSD Current Subject: Re: NAT broken in -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 21:24:10 -0000 --=-HQjnCQwWbjiTOqHYuCF4 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable On Sat, 2009-12-26 at 22:21 +0100, Luigi Rizzo wrote: > On Sat, Dec 26, 2009 at 03:25:38PM -0500, Joe Marcus Clarke wrote: > ... > > I updated my -CURRENT box yesterday. After a reboot, NAT no longer > > works. That is, if I have natd running with ipfw diverting packets to > > it, the box is a big black hole. No packets leave. I do see all > ... > > I have a feeling the new ipfw code merged ~ 11 days ago is the cause of > > the problem. Thinking that perhaps the new modularity is causing this > > problem, I also added the following two options to my kernel: > >=20 > > options IPFIREWALL_NAT > > options LIBALIAS > >=20 > > They did not help. I have not tried using a purely modular ipfw/NAT > > combination, but I will attempt that later today. I didn't see anythin= g > > obvious in UPDATING. Any suggestions, or any recommendations for > > specific troubleshooting data to capture? Thanks. >=20 > the changes were not expected to affect configuration or operation > so clearly i must have broken something in the reinjection process. > If you have a chance of looking at the ipfw counters (to see whether > packets are reinjected and where they end up) that would be helpful. > I'll try to run some tests here tomorrow or more likely on monday. As I recall, the divert line (rule 50) had a huge counter value (even after a reboot), but the other rule (i.e. the permit any any rule) had very few packets. I will gather some more concrete numbers later today. Thanks for looking into it. Joe --=20 Joe Marcus Clarke FreeBSD GNOME Team :: gnome@FreeBSD.org FreeNode / #freebsd-gnome http://www.FreeBSD.org/gnome --=-HQjnCQwWbjiTOqHYuCF4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEABECAAYFAks2fvkACgkQb2iPiv4Uz4dv9wCePaLx1quhoaRuUGLZ1W66cC9u gCoAn096Iy5J30Y/43rzqAEVZ03hS0y8 =Nu+Y -----END PGP SIGNATURE----- --=-HQjnCQwWbjiTOqHYuCF4--