Date: Wed, 26 Mar 2008 09:44:36 GMT From: Mikhail Dyadchenko <m.dyadchenko@211.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/122109: ipfw nat traceroute problem Message-ID: <200803260944.m2Q9iahr029153@www.freebsd.org> Resent-Message-ID: <200803260950.m2Q9o1kj073298@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 122109 >Category: kern >Synopsis: ipfw nat traceroute problem >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 26 09:50:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Mikhail Dyadchenko >Release: 7.0-STABLE >Organization: SibSet LTD >Environment: FreeBSD lo0.ru 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat Mar 22 12:14:16 NOVT 2008 root@lo0.ru:/usr/obj/usr/src/sys/lo0 amd64 >Description: Problem in NAT'ing traceroute icmp answers. traceroute to ya.ru (213.180.204.8), 64 hops max, 52 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * ^C Tcpdump on interface show icmp packet's to from all hops on trace Then i put a rule to skipto icmp traffic over nat rules - a got an answer's. So probably packets drop in kernel libalias or in ipfw nat. net.inet.ip.fw.one_pass: 0 Problem detect after mirgation from natd + divert. Traceroute from internal network work's fine. Kernel compiled after csup src-all >How-To-Repeat: nve0 - external interface ipfw output ipfw nat 400 config ip xxx.xxx.xxx.xxx same_ports 09500 64 3971 skipto 65000 icmp from any to any 10000 20464225 25206636648 nat 400 ip from 10.1.255.0/28 to any via nve0 10100 13407049 3332989310 nat 400 ip from any to xxx.xxx.xxx.xxx via nve0 10200 30 1200 deny ip from not xxx.xxx.xxx.xxx to any out xmit nve0 65000 181231789 158968737448 allow ip from any to any Then i remove 09500 rule - icmp packets die on nat rule >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803260944.m2Q9iahr029153>