From owner-freebsd-net@FreeBSD.ORG Thu Aug 5 22:55:51 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A31116A4CE for ; Thu, 5 Aug 2004 22:55:51 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5EDA43D1D for ; Thu, 5 Aug 2004 22:55:50 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 8D70B3474C1; Fri, 6 Aug 2004 00:54:08 +0200 (CEST) Date: Fri, 6 Aug 2004 00:54:08 +0200 From: Pawel Malachowski To: freebsd-net@freebsd.org Message-ID: <20040805225408.GA70729@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.2i Subject: ipfilter/ipnat 3.4.35 and udp-traceroute problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 22:55:51 -0000 Hello, Can anobody here confirm that newest 3.4.35 IPFilter in RELENG_4 works with no problems when IPNATing traceroute UDP (+ICMP response) packets? I can see weird behavior of this command: traceroute -s privateIP -P UDP dst Outgoing UDP packets are translated, ICMP time-exceded message comes back, but traceroute shows '* * *'. ;) Commands: traceroute -s privateIP -P ICMP dst and traceroute -s privateIP -P TCP dst are working OK. UDP protocol is _not_ filtered. Also `traceroute -s publicIP -P UDP dst' works just fine. State table was flushed and has low number of mappings: mapped in 167718594 out 162841788 added 4480473 expired 4466531 no memory 0 bad nat 375052 <- hm inuse 2259 <= rules 38 wilds 0 Mapping rules (for this uplink and this privateIP) are quite common: map rl0 privateIP/20 -> publicIP/32 proxy port ftp ftp/tcp map rl0 privateIP/20 -> publicIP/32 portmap tcp/udp auto map rl0 privateIP/20 -> publicIP/32 (/20 is big, but network is smaller, don't be scared). This ruleset was used for months with no problems. Kernel is almost GENERIC. Another interesting thing: % ipf -V ipf: IP Filter: v3.4.31 (336) <= Kernel: IP Filter: v3.4.35 [...] % grep -i ver /usr/src/contrib/ipfilter/ipl.h #define IPL_VERSION "IP Filter: v3.4.31" Newer ipl.h sits happily in vendor branch. -- Paweł Małachowski