Date: Sun, 23 Nov 2008 16:35:15 GMT From: Eugen Konkov <kes-kes@yandex.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/129093: ipfw nat must not drop packets Message-ID: <200811231635.mANGZFZV090019@www.freebsd.org> Resent-Message-ID: <200811231640.mANGe6eO044677@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129093 >Category: kern >Synopsis: ipfw nat must not drop packets >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Nov 23 16:40:05 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eugen Konkov >Release: 7.1-PRERELEASE >Organization: ISP Konkov >Environment: home# uname -a FreeBSD home.kes.net.ua 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #: Sun Nov 23 17:19:12 EET 2008 kes@home.kes.net.ua:/usr/obj/usr/src/sys/KES_KERN_v7 i386 >Description: Destination Gateway Flags Refs Use Netif Expire default 195.5.5.209 UGS 0 3124 ng0 ... When I ping world from LAN all is good, but when I ping world from router I get next picture: Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:53 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 Nov 23 18:09:53 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:54 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 Nov 23 18:09:54 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 It seems packet is droped by NAT. Because of there is no info about outgoing packet and when incoming packet fall into NAT it was droped =( >How-To-Repeat: ipfw nat 1 config if ng0 log 01 count log icmp from any to any via ng0 02 nat 1 log ip from 192.168.0.0/16 to any out xmit ng0 #put only packets from LAN 03 nat 1 log ip from any to any in recv ng0 05 count log icmp from any to any via ng0 06 allow ip from any to any >Fix: So I need to put packets to NAT even for local generated packets Work around: ipfw nat 1 config if ng0 log 00001 count log icmp from any to any via ng0 00002 nat 1 log ip from any to any out xmit ng0 #put to nat packets from me too 00003 nat 1 log ip from any to any in recv ng0 00005 count log icmp from any to any via ng0 00006 allow all from any to any HOW TO FIX: Leave packet untouched when NAT do not know how to deel with it. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811231635.mANGZFZV090019>