From owner-freebsd-net@FreeBSD.ORG Wed Oct 29 14:53:57 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E35E8759 for ; Wed, 29 Oct 2014 14:53:56 +0000 (UTC) Received: from mail-pd0-x236.google.com (mail-pd0-x236.google.com [IPv6:2607:f8b0:400e:c02::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B7BBC2EE for ; Wed, 29 Oct 2014 14:53:56 +0000 (UTC) Received: by mail-pd0-f182.google.com with SMTP id fp1so3076406pdb.41 for ; Wed, 29 Oct 2014 07:53:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:thread-index :content-language; bh=u3zUqtBxTapjwuk8SF8CBklmKw+2AvgRN0Cf+KGsMT4=; b=FfRlyg3EyPItqD6RTrDCz4vG//FdvhS+OfIXXGOX27XzfBb7cNVT/iSsTinJGRyZpQ eZ285F+HWkTPhgsCgnmJmR6tgeHSqCs2fioQJbv/veOgNs7tfgL4zd4S0XxMUgz6Zna3 DtBHw5KuDmfpHlJIcH5mO4bposGVMh/g/Z6Gmrx2VcuwsBa7YKvwghLGTPDWFb+vUJ8u 0QEeiIbFOJIqe/rzdiLCF0GHrzxwRB1iCyXhR1PprcDNZYBsF6jKOaMyd5MQgzS/1rDf RBXIkdhdh5hFFwZVGqgxfODLZJxEWborr+/3ay4Xib7CM7O4hIar8aVQXl5AfqlxJ0ps LplQ== X-Received: by 10.67.30.34 with SMTP id kb2mr10594404pad.97.1414594436325; Wed, 29 Oct 2014 07:53:56 -0700 (PDT) Received: from billwin7 ([138.75.190.18]) by mx.google.com with ESMTPSA id dp4sm4598084pbc.21.2014.10.29.07.53.55 for (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 29 Oct 2014 07:53:55 -0700 (PDT) From: "bycn82" To: "'Raimundo Santos'" , References: In-Reply-To: Subject: RE: ipfw fwd duplicating packets in 9.3-RELEASE Date: Wed, 29 Oct 2014 22:53:54 +0800 Message-ID: <009c01cff388$29fe7ec0$7dfb7c40$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQKz78czrxCpaTTjtGvxKE2W9r8mupp/LhHg Content-Language: en-sg X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2014 14:53:57 -0000 Hi, I cannot help to point out when the ICMP packet was duplicated and transfer via 2 different links, If it happens in my machine, I will call this feature "multi-homing". But what I want to say is the firewall rule fwd 192.168.0.2 proto icmp src-ip 192.168.4.2 out xmit em1 You can remove the "out" because "xmit" will check the "out interface". Regards, Bycn82 -----Original Message----- From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Raimundo Santos Sent: Tuesday, 28 October, 2014 3:32 PM To: freebsd-net@freebsd.org Subject: ipfw fwd duplicating packets in 9.3-RELEASE Hello list! I was testing the behaviour of fwd in ipfw from FreeBSd 9.3-RELEASE, latest updates, GENERIC kernel, in this setup: 1x FreeBSD 9.3 as router, with 3 network interfaces 5x OpenBSD 5.5 as network machines, each one connected to FreeBSD via one port. It is a virtual env. FreeBSD em0 (192.168.0.1) -> OpenBSD#1 em0 (192.168.0.2) FreeBSD em1 (192.168.1.1) -> OpenBSD#2 em0 (192.168.1.2) FreeBSD em2 (192.168.2.1) -> OpenBSD#3 em0 (192.168.2.2) FreeBSD em3 (192.168.3.1) -> OpenBSD#4 em0 (192.168.3.2) FreeBSD em4 (192.168.4.1) -> OpenBSD#5 em1 (192.168.4.2) ipfw rule: fwd 192.168.0.2 proto icmp src-ip 192.168.4.2 in recv em4 Then a ping 192.168.1.2 was issued from OpenBSD#5. Interestingly, this rule put a packet on em0 and em1 in FreeBSD. The packet successfully arrived at OpenBSD#1, where it was discarded, and at OpenBSD#2, where it got its reply. Only these combinations of interface direction do not duplicate the packet: out xmit fwd 192.168.0.2 proto icmp src-ip 192.168.4.2 out xmit em1 and fwd 192.168.0.2 proto icmp src-ip 192.168.4.2 out via em1 Even out recv em4 xmit em1 leads to packet duplication. I think that it is a bad thing for PBR. As I can see from these tests, I can not use all the options to do PBR. In my real needs I have to: 1. let web traffic flow to an cache appliance (from internal network to cache, from internet to cache) 2. do NAT for the internal network under three different links In theory, fwd + in kernel NAT + one_pass=0 could solve the problem. But I am hitting my head in the wall for almost three weeks on this, only now I have the time to test in a more clear way. First I blamed the NAT, after that the one_pass=0, and now, with these results, well... Someone has an explanation about it? Something related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=129036? For my real needs, I figured out that it works with <...before NAT aliasing...> fwd CACHE_IP proto tcp src-ip table(INT) dst-port 80 out recv INT_IFACE <...after NAT dealiasing...> fwd CACHE_IP proto tcp dst-ip table(INT) src-port 80 out recv EXT_IFACE But I am not confident that it will remains in good shape without knowing exactly why fwd behaves that way. Thank you in advance for your time, Raimundo Santos _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"