From owner-freebsd-ipfw@FreeBSD.ORG  Thu Oct  6 11:14:16 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 65B8B1065670;
	Thu,  6 Oct 2011 11:14:16 +0000 (UTC) (envelope-from oleg@pcbtech.ru)
Received: from contrabass.corbina.net (contrabass.post.ru [85.21.78.5])
	by mx1.freebsd.org (Postfix) with ESMTP id 110D78FC0A;
	Thu,  6 Oct 2011 11:14:15 +0000 (UTC)
Received: from corbina.ru (violin.corbina.net [195.14.50.30])
	by contrabass.corbina.net (Postfix) with ESMTP id 03177CFD56;
	Thu,  6 Oct 2011 15:14:15 +0400 (MSD)
Received: from [10.200.63.205] (account indeez@post.ru HELO indeez.pcbtech.ru)
	by fe1-mc.corbina.ru (CommuniGate Pro SMTP 5.4.0)
	with ESMTPSA id 38671530; Thu, 06 Oct 2011 15:14:14 +0400
Received: from [192.168.0.33] (localhost [127.0.0.1])
	by indeez.pcbtech.ru (8.14.4/8.14.4) with ESMTP id p96BEFNh091920;
	Thu, 6 Oct 2011 15:14:15 +0400 (MSD) (envelope-from oleg@pcbtech.ru)
Message-ID: <4E8D8D87.2060900@pcbtech.ru>
Date: Thu, 06 Oct 2011 15:14:15 +0400
From: Oleg Strizhak <oleg@pcbtech.ru>
User-Agent: Mozilla/5.0 (Windows NT 5.1;
	rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: "Andrey V. Elsukov" <ae@FreeBSD.org>
References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org>
In-Reply-To: <4E8D7728.6050608@FreeBSD.org>
Content-Type: multipart/mixed; boundary="------------040904070501070904030704"
X-Virus-Scanned: clamav-milter 0.97.2 at indeez.pcbtech.ru
X-Virus-Status: Clean
Cc: freebsd-ipfw@FreeBSD.org, "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Subject: Re: ipfw nat drops icmp packets from localhost [patch attached]
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2011 11:14:16 -0000

This is a multi-part message in MIME format.
--------------040904070501070904030704
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by indeez.pcbtech.ru id
	p96BEFNh091920

=FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Andrey V. Elsukov!

=F7=D9 =D0=C9=D3=C1=CC=C9 06.10.2011 13:38:

> On 06.10.2011 12:29, Oleg Strizhak wrote:
>> After an investigation I've found out a very strange situation - it se=
ems to me, that ipfw nat drops
>> some (type 11?) icmp reply packets, whose udp request packets it hasn'=
t rewritten/seen before, e.g:
>>
>> So, I wonder whether someone else has seen the same case under the sim=
ilar circumstances? Isn't it a
>> bug within ipfw nat module and is there any work-around/patch for that=
? I've surely googled, but in
>> vain =3D( The only thing, that seems alike to my problem, is
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D129093, but the patch for=
 8 branch didn't cure anything =3D(
>
> Can you describe how you did apply and test this patch?

I beg your pardon: in my previous reply I forgot to attach my patch.=20
Here it is

WBR,
Oleg

--------------040904070501070904030704
Content-Type: text/plain;
 name="ip_fw_nat.patch.my"
Content-Disposition: attachment;
 filename="ip_fw_nat.patch.my"
Content-Transfer-Encoding: 7bit

--- ip_fw_nat.c.orig	2010-12-21 20:09:25.000000000 +0300
+++ ip_fw_nat.c	2011-10-04 14:27:02.000000000 +0400
@@ -263,17 +263,27 @@
 	else
 		retval = LibAliasOut(t->lib, c,
 			mcl->m_len + M_TRAILINGSPACE(mcl));
-	if (retval == PKT_ALIAS_RESPOND) {
-		m->m_flags |= M_SKIP_FIREWALL;
-		retval = PKT_ALIAS_OK;
-	}
-	if (retval != PKT_ALIAS_OK &&
-	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+	/*
+	 * We drop packet when:
+	 * 1. libalias returns PKT_ALIAS_ERROR;
+	 * 2. For incoming packets:
+	 *	a) for unresolved fragments;
+	 *	b) libalias returns PKT_ALIAS_IGNORED and
+	 *	 PKT_ALIAS_DENY_INCOMING flag is set.
+	 */
+	if (retval == PKT_ALIAS_ERROR ||
+	 (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+	 (retval == PKT_ALIAS_IGNORED &&
+	 (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
 		/* XXX - should i add some logging? */
 		m_free(mcl);
 		args->m = NULL;
 		return (IP_FW_DENY);
 	}
+
+	if (retval == PKT_ALIAS_RESPOND)
+	 m->m_flags |= M_SKIP_FIREWALL;
 	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
 
 	/*

--------------040904070501070904030704--