From owner-freebsd-bugs@FreeBSD.ORG Sun Nov 23 16:40:06 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F290106567E for ; Sun, 23 Nov 2008 16:40:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 404E98FC18 for ; Sun, 23 Nov 2008 16:40:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mANGe6Ek044678 for ; Sun, 23 Nov 2008 16:40:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mANGe6eO044677; Sun, 23 Nov 2008 16:40:06 GMT (envelope-from gnats) Resent-Date: Sun, 23 Nov 2008 16:40:06 GMT Resent-Message-Id: <200811231640.mANGe6eO044677@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eugen Konkov Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BFEC1065674 for ; Sun, 23 Nov 2008 16:35:16 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 1F08C8FC17 for ; Sun, 23 Nov 2008 16:35:16 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id mANGZFhg090020 for ; Sun, 23 Nov 2008 16:35:15 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id mANGZFZV090019; Sun, 23 Nov 2008 16:35:15 GMT (envelope-from nobody) Message-Id: <200811231635.mANGZFZV090019@www.freebsd.org> Date: Sun, 23 Nov 2008 16:35:15 GMT From: Eugen Konkov To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/129093: ipfw nat must not drop packets X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 16:40:06 -0000 >Number: 129093 >Category: kern >Synopsis: ipfw nat must not drop packets >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Nov 23 16:40:05 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eugen Konkov >Release: 7.1-PRERELEASE >Organization: ISP Konkov >Environment: home# uname -a FreeBSD home.kes.net.ua 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #: Sun Nov 23 17:19:12 EET 2008 kes@home.kes.net.ua:/usr/obj/usr/src/sys/KES_KERN_v7 i386 >Description: Destination Gateway Flags Refs Use Netif Expire default 195.5.5.209 UGS 0 3124 ng0 ... When I ping world from LAN all is good, but when I ping world from router I get next picture: Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:53 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 Nov 23 18:09:53 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:54 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0 Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 Nov 23 18:09:54 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0 It seems packet is droped by NAT. Because of there is no info about outgoing packet and when incoming packet fall into NAT it was droped =( >How-To-Repeat: ipfw nat 1 config if ng0 log 01 count log icmp from any to any via ng0 02 nat 1 log ip from 192.168.0.0/16 to any out xmit ng0 #put only packets from LAN 03 nat 1 log ip from any to any in recv ng0 05 count log icmp from any to any via ng0 06 allow ip from any to any >Fix: So I need to put packets to NAT even for local generated packets Work around: ipfw nat 1 config if ng0 log 00001 count log icmp from any to any via ng0 00002 nat 1 log ip from any to any out xmit ng0 #put to nat packets from me too 00003 nat 1 log ip from any to any in recv ng0 00005 count log icmp from any to any via ng0 00006 allow all from any to any HOW TO FIX: Leave packet untouched when NAT do not know how to deel with it. >Release-Note: >Audit-Trail: >Unformatted: