Date: Sun, 27 Dec 2009 14:47:32 -0500 From: Joe Marcus Clarke <marcus@FreeBSD.org> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: luigi@FreeBSD.org, FreeBSD Current <freebsd-current@FreeBSD.org> Subject: Re: NAT broken in -CURRENT Message-ID: <1261943252.1842.5.camel@shumai.marcuscom.com> In-Reply-To: <20091226222404.GA11164@onelab2.iet.unipi.it> References: <1261859138.1555.26.camel@shumai.marcuscom.com> <20091226212104.GA10498@onelab2.iet.unipi.it> <alpine.BSF.2.00.0912261705180.87011@creme-brulee.marcuscom.com> <20091226222404.GA11164@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-o8tYJdWO1HXPzLIx5PPv Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable On Sat, 2009-12-26 at 23:24 +0100, Luigi Rizzo wrote: > On Sat, Dec 26, 2009 at 05:06:48PM -0500, Joe Marcus Clarke wrote: > >=20 > >=20 > > PGP Key : http://www.marcuscom.com/pgp.asc > >=20 > > On Sat, 26 Dec 2009, Luigi Rizzo wrote: > >=20 > > >On Sat, Dec 26, 2009 at 03:25:38PM -0500, Joe Marcus Clarke wrote: > > >... > > >>I updated my -CURRENT box yesterday. After a reboot, NAT no longer > > >>works. That is, if I have natd running with ipfw diverting packets t= o > > >>it, the box is a big black hole. No packets leave. I do see all > > >... > > >>I have a feeling the new ipfw code merged ~ 11 days ago is the cause = of > > >>the problem. Thinking that perhaps the new modularity is causing thi= s > > >>problem, I also added the following two options to my kernel: > > >> > > >>options IPFIREWALL_NAT > > >>options LIBALIAS > > >> > > >>They did not help. I have not tried using a purely modular ipfw/NAT > > >>combination, but I will attempt that later today. I didn't see anyth= ing > > >>obvious in UPDATING. Any suggestions, or any recommendations for > > >>specific troubleshooting data to capture? Thanks. > > > > > >the changes were not expected to affect configuration or operation > > >so clearly i must have broken something in the reinjection process. > > >If you have a chance of looking at the ipfw counters (to see whether > > >packets are reinjected and where they end up) that would be helpful. > > >I'll try to run some tests here tomorrow or more likely on monday. > >=20 > > The packets appear to be looping to the divert socket. The ipfw counte= rs=20 > > show the divert rule is growing exponentially where as the other rules=20 > > have virtually no packet matches. This is just after a few seconds of=20 > > uptime: >=20 > ok then try this change in netinet/ipfw/ip_fw2.c near line 1176 >=20 > IPFW_RUNLOCK(chain); > return (IP_FW_DENY); /* invalid */ > } > - f_pos =3D ipfw_find_rule(chain, skipto, 0); > + f_pos =3D ipfw_find_rule(chain, skipto+1, 0); > } > } >=20 > Let me know if it works so i can commit it. I was just able to test this, and it works. I see you committed it already. Thanks for your quick response. Joe --=20 Joe Marcus Clarke FreeBSD GNOME Team :: gnome@FreeBSD.org FreeNode / #freebsd-gnome http://www.FreeBSD.org/gnome --=-o8tYJdWO1HXPzLIx5PPv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEABECAAYFAks3udMACgkQb2iPiv4Uz4eCbQCfavZGSd0z69tGf2SdN8zLDrqA 0NkAoJy6GtpB/DfXz51UeJtJgtiKgvAn =x1lm -----END PGP SIGNATURE----- --=-o8tYJdWO1HXPzLIx5PPv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1261943252.1842.5.camel>