From owner-freebsd-current@FreeBSD.ORG Sat Dec 26 22:16:23 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60C4D106566B; Sat, 26 Dec 2009 22:16:23 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 218158FC15; Sat, 26 Dec 2009 22:16:22 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 53D8173098; Sat, 26 Dec 2009 23:24:04 +0100 (CET) Date: Sat, 26 Dec 2009 23:24:04 +0100 From: Luigi Rizzo To: Joe Marcus Clarke Message-ID: <20091226222404.GA11164@onelab2.iet.unipi.it> References: <1261859138.1555.26.camel@shumai.marcuscom.com> <20091226212104.GA10498@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: luigi@freebsd.org, FreeBSD Current Subject: Re: NAT broken in -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 22:16:23 -0000 On Sat, Dec 26, 2009 at 05:06:48PM -0500, Joe Marcus Clarke wrote: > > > PGP Key : http://www.marcuscom.com/pgp.asc > > On Sat, 26 Dec 2009, Luigi Rizzo wrote: > > >On Sat, Dec 26, 2009 at 03:25:38PM -0500, Joe Marcus Clarke wrote: > >... > >>I updated my -CURRENT box yesterday. After a reboot, NAT no longer > >>works. That is, if I have natd running with ipfw diverting packets to > >>it, the box is a big black hole. No packets leave. I do see all > >... > >>I have a feeling the new ipfw code merged ~ 11 days ago is the cause of > >>the problem. Thinking that perhaps the new modularity is causing this > >>problem, I also added the following two options to my kernel: > >> > >>options IPFIREWALL_NAT > >>options LIBALIAS > >> > >>They did not help. I have not tried using a purely modular ipfw/NAT > >>combination, but I will attempt that later today. I didn't see anything > >>obvious in UPDATING. Any suggestions, or any recommendations for > >>specific troubleshooting data to capture? Thanks. > > > >the changes were not expected to affect configuration or operation > >so clearly i must have broken something in the reinjection process. > >If you have a chance of looking at the ipfw counters (to see whether > >packets are reinjected and where they end up) that would be helpful. > >I'll try to run some tests here tomorrow or more likely on monday. > > The packets appear to be looping to the divert socket. The ipfw counters > show the divert rule is growing exponentially where as the other rules > have virtually no packet matches. This is just after a few seconds of > uptime: ok then try this change in netinet/ipfw/ip_fw2.c near line 1176 IPFW_RUNLOCK(chain); return (IP_FW_DENY); /* invalid */ } - f_pos = ipfw_find_rule(chain, skipto, 0); + f_pos = ipfw_find_rule(chain, skipto+1, 0); } } Let me know if it works so i can commit it. cheers luigi