From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 2 15:56:11 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 958781065670; Sun, 2 Oct 2011 15:56:11 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6ECC18FC08; Sun, 2 Oct 2011 15:56:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p92FuBOq035479; Sun, 2 Oct 2011 15:56:11 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p92FuAph035475; Sun, 2 Oct 2011 15:56:10 GMT (envelope-from ae) Date: Sun, 2 Oct 2011 15:56:10 GMT Message-Id: <201110021556.p92FuAph035475@freefall.freebsd.org> To: alexey@kouznetsov.com, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/144269: [ipfw] problem with ipfw tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 15:56:11 -0000 Synopsis: [ipfw] problem with ipfw tables State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Sun Oct 2 15:53:59 UTC 2011 State-Changed-Why: The submitter has reported that he could not reproduce the problem on 8.x http://www.freebsd.org/cgi/query-pr.cgi?pr=144269 From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 2 15:59:40 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87FCF106566C; Sun, 2 Oct 2011 15:59:40 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5FCC48FC08; Sun, 2 Oct 2011 15:59:40 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p92FxelK035586; Sun, 2 Oct 2011 15:59:40 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p92FxdfR035582; Sun, 2 Oct 2011 15:59:39 GMT (envelope-from ae) Date: Sun, 2 Oct 2011 15:59:39 GMT Message-Id: <201110021559.p92FxdfR035582@freefall.freebsd.org> To: pawel@szember.net, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/127209: [ipfw] IPFW table become corrupted after many changes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 15:59:40 -0000 Synopsis: [ipfw] IPFW table become corrupted after many changes State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Sun Oct 2 15:57:15 UTC 2011 State-Changed-Why: Seems 8.x releases don't affected with this problem. I guess it is fixed. http://www.freebsd.org/cgi/query-pr.cgi?pr=127209 From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 2 16:01:12 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1ECC01065672; Sun, 2 Oct 2011 16:01:12 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EBCEE8FC08; Sun, 2 Oct 2011 16:01:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p92G1BZm040190; Sun, 2 Oct 2011 16:01:11 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p92G1BLA040110; Sun, 2 Oct 2011 16:01:11 GMT (envelope-from ae) Date: Sun, 2 Oct 2011 16:01:11 GMT Message-Id: <201110021601.p92G1BLA040110@freefall.freebsd.org> To: versen@list.ru, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/143474: [ipfw] ipfw table contains the same address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 16:01:12 -0000 Synopsis: [ipfw] ipfw table contains the same address State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Sun Oct 2 16:00:43 UTC 2011 State-Changed-Why: Seems 8.x releases don't affected with this problem. I guess it is fixed. http://www.freebsd.org/cgi/query-pr.cgi?pr=143474 From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 2 16:02:38 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35A361065672; Sun, 2 Oct 2011 16:02:38 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0EAF78FC18; Sun, 2 Oct 2011 16:02:38 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p92G2bSO043985; Sun, 2 Oct 2011 16:02:37 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p92G2aDm043978; Sun, 2 Oct 2011 16:02:36 GMT (envelope-from ae) Date: Sun, 2 Oct 2011 16:02:36 GMT Message-Id: <201110021602.p92G2aDm043978@freefall.freebsd.org> To: barry@unix.co.nz, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/91847: [ipfw] ipfw with vlanX as the device X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 16:02:38 -0000 Synopsis: [ipfw] ipfw with vlanX as the device State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Sun Oct 2 16:02:20 UTC 2011 State-Changed-Why: Feedback timeout. http://www.freebsd.org/cgi/query-pr.cgi?pr=91847 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 11:07:09 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9085B106564A for ; Mon, 3 Oct 2011 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7F88B8FC0C for ; Mon, 3 Oct 2011 11:07:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p93B79fA033800 for ; Mon, 3 Oct 2011 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p93B78SN033798 for freebsd-ipfw@FreeBSD.org; Mon, 3 Oct 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Oct 2011 11:07:08 GMT Message-Id: <201110031107.p93B78SN033798@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2011 11:07:09 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 40 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 08:45:33 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C43AB1065673 for ; Thu, 6 Oct 2011 08:45:33 +0000 (UTC) (envelope-from oleg@pcbtech.ru) Received: from contrabass.corbina.net (contrabass.post.ru [85.21.78.5]) by mx1.freebsd.org (Postfix) with ESMTP id 1EF3C8FC08 for ; Thu, 6 Oct 2011 08:45:32 +0000 (UTC) Received: from corbina.ru (violin.corbina.net [195.14.50.30]) by contrabass.corbina.net (Postfix) with ESMTP id 67480D0AD2 for ; Thu, 6 Oct 2011 12:29:57 +0400 (MSD) Received: from [10.200.63.205] (account indeez@post.ru HELO indeez.pcbtech.ru) by fe1-mc.corbina.ru (CommuniGate Pro SMTP 5.4.0) with ESMTPSA id 38626903 for freebsd-ipfw@FreeBSD.org; Thu, 06 Oct 2011 12:29:57 +0400 Received: from [192.168.0.33] (localhost [127.0.0.1]) by indeez.pcbtech.ru (8.14.4/8.14.4) with ESMTP id p968TsH9083024 for ; Thu, 6 Oct 2011 12:29:54 +0400 (MSD) (envelope-from oleg@pcbtech.ru) Message-ID: <4E8D6702.9070707@pcbtech.ru> Date: Thu, 06 Oct 2011 12:29:54 +0400 From: Oleg Strizhak User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.org Content-Type: text/plain; charset=KOI8-R; format=flowed X-Virus-Scanned: clamav-milter 0.97.2 at indeez.pcbtech.ru X-Virus-Status: Clean Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by indeez.pcbtech.ru id p968TsH9083024 Cc: Subject: ipfw nat drops icmp packets from localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 08:45:33 -0000 Dear All! Would you mind enlightening me a little bit on the following: when I ping or traceroute any external host (even default gateway) w/o=20 ipfw -- it's OK; when I ping -"- w/ ipfw -- it's OK when I traceroute -"- it FAILS =3D( all hop are three stars in a row when any LAN (192.168.0.=C8) host ping or traceroute any ext host (by ipf= w=20 nat) -- it's OK > # uname -a > FreeBSD proxy.yy.ru 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Mon Oct = 3 19:19:30 MSD 2011 aa@xx.yy.ru:/usr/obj/usr/src/sys/ZZZ amd64 > > # ipfw nat show config > ipfw nat 7 config if vr0 log same_ports reset redirect_port tcp 192.168= .0.97:3389 7899 redirect_port tcp 192.168.0.250:3389 8998 redirect_port t= cp 192.168.0.98:3389 7997 redirect_port tcp 192.168.0.201:3389 3333 redir= ect_port tcp 192.168.0.254:3389 5995 redirect_port tcp 192.168.0.99:3389 = 9998 redirect_port tcp 192.168.0.95:3389 8899 redirect_port tcp 192.168.0= .248:20-21 20-21 After an investigation I've found out a very strange situation - it=20 seems to me, that ipfw nat drops some (type 11?) icmp reply packets,=20 whose udp request packets it hasn't rewritten/seen before, e.g: > 05577 count log logamount 1000 icmp from any to any > 05600 nat 7 ip from any to me in { recv fxp0 or recv vr0 } > 05677 count log logamount 1000 icmp from any to any if I ping (let's suppose that my external ip is 1.2.3.4 and dst ip is=20 equal to 5.6.7.8, vr0 - external iface, fxp0 -- reserved external face,=20 not used when vr0 is up & running): > =EFct 6 11:47:40 proxy kernel: ipfw: 5577 Count ICMP:8.0 1.2.3.4 5.6.7= .8 out via vr0 > Oct 6 11:47:40 proxy kernel: ipfw: 5677 Count ICMP:8.0 1.2.3.4 5.6.7.8= out via vr0 > Oct 6 11:47:40 proxy kernel: ipfw: 5577 Count ICMP:0.0 5.6.7.8 1.2.3.4= in via vr0 > Oct 6 11:47:40 proxy kernel: ipfw: 5677 Count ICMP:0.0 5.6.7.8 1.2.3.4= in via vr0 if I traceroute: > Oct 6 11:01:53 proxy kernel: ipfw: 5577 Count ICMP:11.0 5.6.7.8 1.2.3.= 4 in via vr0 > Oct 6 11:01:58 proxy kernel: ipfw: 5577 Count ICMP:11.0 5.6.7.8 1.2.3.= 4 in via vr0 > Oct 6 11:02:03 proxy kernel: ipfw: 5577 Count ICMP:11.0 5.6.7.8 1.2.3.= 4 in via vr0 at the same time, if LAN host (yes, LAN's behind ale0) traceroutes ext=20 host via nat 7: > Oct 6 11:10:07 proxy kernel: ipfw: 5577 Count ICMP:11.0 5.6.7.8 1.2.3.= 4 in via vr0 > Oct 6 11:10:07 proxy kernel: ipfw: 5677 Count ICMP:11.0 5.6.7.8 192.16= 8.0.97 in via vr0 > Oct 6 11:10:07 proxy kernel: ipfw: 5577 Count ICMP:11.0 5.6.7.8 192.16= 8.0.97 out via ale0 > Oct 6 11:10:07 proxy kernel: ipfw: 5677 Count ICMP:11.0 5.6.7.8 192.16= 8.0.97 out via ale0 So, I wonder whether someone else has seen the same case under the=20 similar circumstances? Isn't it a bug within ipfw nat module and is=20 there any work-around/patch for that? I've surely googled, but in vain=20 =3D( The only thing, that seems alike to my problem, is=20 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D129093, but the patch for 8=20 branch didn't cure anything =3D( WBR, Oleg Strizhak From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 09:57:27 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C67A1106566C; Thu, 6 Oct 2011 09:57:27 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mail.kirov.so-ups.ru (ns.kirov.so-ups.ru [178.74.170.1]) by mx1.freebsd.org (Postfix) with ESMTP id 704EE8FC0A; Thu, 6 Oct 2011 09:57:27 +0000 (UTC) Received: from kas30pipe.localhost (localhost.kirov.so-ups.ru [127.0.0.1]) by mail.kirov.so-ups.ru (Postfix) with SMTP id 6FA4BB8024; Thu, 6 Oct 2011 13:38:49 +0400 (MSD) Received: from kirov.so-ups.ru (unknown [172.21.81.1]) by mail.kirov.so-ups.ru (Postfix) with ESMTP id 6A2E9B801B; Thu, 6 Oct 2011 13:38:49 +0400 (MSD) Received: by ns.kirov.so-ups.ru (Postfix, from userid 1010) id 64AA4B8F36; Thu, 6 Oct 2011 13:38:49 +0400 (MSD) Received: from [127.0.0.1] (elsukov.kirov.oduur.so [10.118.3.52]) by ns.kirov.so-ups.ru (Postfix) with ESMTP id E6F74B8F28; Thu, 6 Oct 2011 13:38:48 +0400 (MSD) Message-ID: <4E8D7728.6050608@FreeBSD.org> Date: Thu, 06 Oct 2011 13:38:48 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Oleg Strizhak References: <4E8D6702.9070707@pcbtech.ru> In-Reply-To: <4E8D6702.9070707@pcbtech.ru> X-Enigmail-Version: 1.3.2 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0284], KAS30/Release X-SpamTest-Info: Not protected Cc: freebsd-ipfw@FreeBSD.org, "Alexander V. Chernikov" Subject: Re: ipfw nat drops icmp packets from localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 09:57:27 -0000 On 06.10.2011 12:29, Oleg Strizhak wrote: > After an investigation I've found out a very strange situation - it seems to me, that ipfw nat drops > some (type 11?) icmp reply packets, whose udp request packets it hasn't rewritten/seen before, e.g: > > So, I wonder whether someone else has seen the same case under the similar circumstances? Isn't it a > bug within ipfw nat module and is there any work-around/patch for that? I've surely googled, but in > vain =( The only thing, that seems alike to my problem, is > http://www.freebsd.org/cgi/query-pr.cgi?pr=129093, but the patch for 8 branch didn't cure anything =( Can you describe how you did apply and test this patch? -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 10:42:26 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 332F41065674 for ; Thu, 6 Oct 2011 10:42:26 +0000 (UTC) (envelope-from oleg@pcbtech.ru) Received: from contrabass.corbina.net (contrabass.post.ru [85.21.78.5]) by mx1.freebsd.org (Postfix) with ESMTP id D47E58FC08 for ; Thu, 6 Oct 2011 10:42:25 +0000 (UTC) Received: from corbina.ru (violin.corbina.net [195.14.50.30]) by contrabass.corbina.net (Postfix) with ESMTP id 7AE57CDFF3; Thu, 6 Oct 2011 14:42:24 +0400 (MSD) Received: from [10.200.63.205] (account indeez@post.ru HELO indeez.pcbtech.ru) by fe1-mc.corbina.ru (CommuniGate Pro SMTP 5.4.0) with ESMTPSA id 38661263; Thu, 06 Oct 2011 14:42:24 +0400 Received: from [192.168.0.33] (localhost [127.0.0.1]) by indeez.pcbtech.ru (8.14.4/8.14.4) with ESMTP id p96AgNZS090164; Thu, 6 Oct 2011 14:42:23 +0400 (MSD) (envelope-from oleg@pcbtech.ru) Message-ID: <4E8D860F.2030505@pcbtech.ru> Date: Thu, 06 Oct 2011 14:42:23 +0400 From: Oleg Strizhak User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "Andrey V. Elsukov" References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org> In-Reply-To: <4E8D7728.6050608@FreeBSD.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.2 at indeez.pcbtech.ru X-Virus-Status: Clean Cc: freebsd-ipfw@FreeBSD.org, melifaro@FreeBSD.org Subject: Re: ipfw nat drops icmp packets from localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 10:42:26 -0000 Hello, Andrey V. Elsukov! You wrote on 06.10.2011 at 13:38: > On 06.10.2011 12:29, Oleg Strizhak wrote: >> After an investigation I've found out a very strange situation - it seems to me, that ipfw nat drops >> some (type 11?) icmp reply packets, whose udp request packets it hasn't rewritten/seen before, e.g: >> >> So, I wonder whether someone else has seen the same case under the similar circumstances? Isn't it a >> bug within ipfw nat module and is there any work-around/patch for that? I've surely googled, but in >> vain =( The only thing, that seems alike to my problem, is >> http://www.freebsd.org/cgi/query-pr.cgi?pr=129093, but the patch for 8 branch didn't cure anything =( > > Can you describe how you did apply and test this patch? in a usual way =) Unfortunately, copy-pasted from the mentioned above page patch couldn't be applied w/ error: > $ patch < ~/ip_fw_nat.patch > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |--- stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 08:33:58 2011 (r223834) > |+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 09:29:11 2011 (r223835) > -------------------------- > Patching file ip_fw_nat.c using Plan A... > patch: **** malformed patch at line 4: else the same results were obtained with combinations of -p5 -l and tail +2 ~/ip_fw_nat.patch options & commands Finally, I modified the patch (which applies w/o a word =) a little bit w/o any difference to the original one: > $ /usr/bin/diff -wBbu3 ~/ip_fw_nat.patch ~/ip_fw_nat.patch.my > --- /root/ip_fw_nat.patch 2011-10-04 14:08:32.000000000 +0400 > +++ /root/ip_fw_nat.patch.my 2011-10-04 14:29:53.000000000 +0400 > @@ -1,5 +1,5 @@ > ---- stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 08:33:58 2011 (r223834) > -+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 09:29:11 2011 (r223835) > +--- ip_fw_nat.c.orig 2010-12-21 20:09:25.000000000 +0300 > ++++ ip_fw_nat.c 2011-10-04 14:27:02.000000000 +0400 > @@ -263,17 +263,27 @@ > else > retval = LibAliasOut(t->lib, c, then I recompiled the kernel, rebooted server and.. all is just the same =( WBR, Oleg From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 11:14:16 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65B8B1065670; Thu, 6 Oct 2011 11:14:16 +0000 (UTC) (envelope-from oleg@pcbtech.ru) Received: from contrabass.corbina.net (contrabass.post.ru [85.21.78.5]) by mx1.freebsd.org (Postfix) with ESMTP id 110D78FC0A; Thu, 6 Oct 2011 11:14:15 +0000 (UTC) Received: from corbina.ru (violin.corbina.net [195.14.50.30]) by contrabass.corbina.net (Postfix) with ESMTP id 03177CFD56; Thu, 6 Oct 2011 15:14:15 +0400 (MSD) Received: from [10.200.63.205] (account indeez@post.ru HELO indeez.pcbtech.ru) by fe1-mc.corbina.ru (CommuniGate Pro SMTP 5.4.0) with ESMTPSA id 38671530; Thu, 06 Oct 2011 15:14:14 +0400 Received: from [192.168.0.33] (localhost [127.0.0.1]) by indeez.pcbtech.ru (8.14.4/8.14.4) with ESMTP id p96BEFNh091920; Thu, 6 Oct 2011 15:14:15 +0400 (MSD) (envelope-from oleg@pcbtech.ru) Message-ID: <4E8D8D87.2060900@pcbtech.ru> Date: Thu, 06 Oct 2011 15:14:15 +0400 From: Oleg Strizhak User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "Andrey V. Elsukov" References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org> In-Reply-To: <4E8D7728.6050608@FreeBSD.org> Content-Type: multipart/mixed; boundary="------------040904070501070904030704" X-Virus-Scanned: clamav-milter 0.97.2 at indeez.pcbtech.ru X-Virus-Status: Clean Cc: freebsd-ipfw@FreeBSD.org, "Alexander V. Chernikov" Subject: Re: ipfw nat drops icmp packets from localhost [patch attached] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 11:14:16 -0000 This is a multi-part message in MIME format. --------------040904070501070904030704 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by indeez.pcbtech.ru id p96BEFNh091920 =FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Andrey V. Elsukov! =F7=D9 =D0=C9=D3=C1=CC=C9 06.10.2011 13:38: > On 06.10.2011 12:29, Oleg Strizhak wrote: >> After an investigation I've found out a very strange situation - it se= ems to me, that ipfw nat drops >> some (type 11?) icmp reply packets, whose udp request packets it hasn'= t rewritten/seen before, e.g: >> >> So, I wonder whether someone else has seen the same case under the sim= ilar circumstances? Isn't it a >> bug within ipfw nat module and is there any work-around/patch for that= ? I've surely googled, but in >> vain =3D( The only thing, that seems alike to my problem, is >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D129093, but the patch for= 8 branch didn't cure anything =3D( > > Can you describe how you did apply and test this patch? I beg your pardon: in my previous reply I forgot to attach my patch.=20 Here it is WBR, Oleg --------------040904070501070904030704 Content-Type: text/plain; name="ip_fw_nat.patch.my" Content-Disposition: attachment; filename="ip_fw_nat.patch.my" Content-Transfer-Encoding: 7bit --- ip_fw_nat.c.orig 2010-12-21 20:09:25.000000000 +0300 +++ ip_fw_nat.c 2011-10-04 14:27:02.000000000 +0400 @@ -263,17 +263,27 @@ else retval = LibAliasOut(t->lib, c, mcl->m_len + M_TRAILINGSPACE(mcl)); - if (retval == PKT_ALIAS_RESPOND) { - m->m_flags |= M_SKIP_FIREWALL; - retval = PKT_ALIAS_OK; - } - if (retval != PKT_ALIAS_OK && - retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) { + + /* + * We drop packet when: + * 1. libalias returns PKT_ALIAS_ERROR; + * 2. For incoming packets: + * a) for unresolved fragments; + * b) libalias returns PKT_ALIAS_IGNORED and + * PKT_ALIAS_DENY_INCOMING flag is set. + */ + if (retval == PKT_ALIAS_ERROR || + (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT || + (retval == PKT_ALIAS_IGNORED && + (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) { /* XXX - should i add some logging? */ m_free(mcl); args->m = NULL; return (IP_FW_DENY); } + + if (retval == PKT_ALIAS_RESPOND) + m->m_flags |= M_SKIP_FIREWALL; mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len); /* --------------040904070501070904030704-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 11:33:13 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 353BD1065670; Thu, 6 Oct 2011 11:33:13 +0000 (UTC) (envelope-from melifaro@yandex-team.ru) Received: from forward9.mail.yandex.net (forward9.mail.yandex.net [77.88.61.48]) by mx1.freebsd.org (Postfix) with ESMTP id ADAC38FC1B; Thu, 6 Oct 2011 11:33:12 +0000 (UTC) Received: from smtpcorp2.mail.yandex.net (smtpcorp2.mail.yandex.net [77.88.61.36]) by forward9.mail.yandex.net (Yandex) with ESMTP id 3F23ACE1F11; Thu, 6 Oct 2011 15:17:39 +0400 (MSD) Received: from smtpcorp2.mail.yandex.net (localhost [127.0.0.1]) by smtpcorp2.mail.yandex.net (Yandex) with ESMTP id 3474D740110; Thu, 6 Oct 2011 15:17:39 +0400 (MSD) Received: from dhcp170-36-red.yandex.net (dhcp170-36-red.yandex.net [95.108.170.36]) by smtpcorp2.mail.yandex.net (nwsmtp/Yandex) with ESMTP id HdLOxvp2; Thu, 6 Oct 2011 15:17:39 +0400 Message-ID: <4E8D8DF2.8060309@yandex-team.ru> Date: Thu, 06 Oct 2011 15:16:02 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.18) Gecko/20111005 Thunderbird/3.1.11 MIME-Version: 1.0 To: Oleg Strizhak References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org> <4E8D860F.2030505@pcbtech.ru> In-Reply-To: <4E8D860F.2030505@pcbtech.ru> Content-Type: multipart/mixed; boundary="------------020200020808050701040903" Cc: "Andrey V. Elsukov" , melifaro@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: ipfw nat drops icmp packets from localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 11:33:13 -0000 This is a multi-part message in MIME format. --------------020200020808050701040903 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit On 06.10.2011 14:42, Oleg Strizhak wrote: > Hello, Andrey V. Elsukov! > > You wrote on 06.10.2011 at 13:38: > >> On 06.10.2011 12:29, Oleg Strizhak wrote: >>> After an investigation I've found out a very strange situation - it >>> seems to me, that ipfw nat drops >>> some (type 11?) icmp reply packets, whose udp request packets it >>> hasn't rewritten/seen before, e.g: >>> >>> So, I wonder whether someone else has seen the same case under the >>> similar circumstances? Isn't it a >>> bug within ipfw nat module and is there any work-around/patch for >>> that? I've surely googled, but in >>> vain =( The only thing, that seems alike to my problem, is >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=129093, but the patch for >>> 8 branch didn't cure anything =( >> >> Can you describe how you did apply and test this patch? > > in a usual way =) Unfortunately, copy-pasted from the mentioned above > page patch couldn't be applied w/ error: svn diff -c 223835 svn://svn.freebsd.org/base/stable/8 > ~/r223835.diff Can you try the patch attached (just to be sure) ? This is exact situation from this (and some related PRs) and this revision definitely fixes it. Btw, what is the value of net.inet.ip.fw.one_pass sysctl ? Are you sure that ipfw is the single enabled firewall on this machine ? Are you sure that system is using new kernel ? > >> $ patch < ~/ip_fw_nat.patch >> Hmm... Looks like a unified diff to me... >> The text leading up to this was: >> -------------------------- >> |--- stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 08:33:58 >> 2011 (r223834) >> |+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 09:29:11 >> 2011 (r223835) >> -------------------------- >> Patching file ip_fw_nat.c using Plan A... >> patch: **** malformed patch at line 4: else > > the same results were obtained with combinations of -p5 -l and tail +2 > ~/ip_fw_nat.patch options & commands > Finally, I modified the patch (which applies w/o a word =) a little bit > w/o any difference to the original one: > >> $ /usr/bin/diff -wBbu3 ~/ip_fw_nat.patch ~/ip_fw_nat.patch.my >> --- /root/ip_fw_nat.patch 2011-10-04 14:08:32.000000000 +0400 >> +++ /root/ip_fw_nat.patch.my 2011-10-04 14:29:53.000000000 +0400 >> @@ -1,5 +1,5 @@ >> ---- stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 08:33:58 >> 2011 (r223834) >> -+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 09:29:11 >> 2011 (r223835) >> +--- ip_fw_nat.c.orig 2010-12-21 20:09:25.000000000 +0300 >> ++++ ip_fw_nat.c 2011-10-04 14:27:02.000000000 +0400 >> @@ -263,17 +263,27 @@ >> else >> retval = LibAliasOut(t->lib, c, > > then I recompiled the kernel, rebooted server and.. all is just the same =( > > WBR, > Oleg > --------------020200020808050701040903 Content-Type: text/plain; name="r223835.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="r223835.diff" Index: sys/netinet/ipfw/ip_fw_nat.c =================================================================== --- sys/netinet/ipfw/ip_fw_nat.c (revision 223834) +++ sys/netinet/ipfw/ip_fw_nat.c (revision 223835) @@ -263,17 +263,27 @@ else retval = LibAliasOut(t->lib, c, mcl->m_len + M_TRAILINGSPACE(mcl)); - if (retval == PKT_ALIAS_RESPOND) { - m->m_flags |= M_SKIP_FIREWALL; - retval = PKT_ALIAS_OK; - } - if (retval != PKT_ALIAS_OK && - retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) { + + /* + * We drop packet when: + * 1. libalias returns PKT_ALIAS_ERROR; + * 2. For incoming packets: + * a) for unresolved fragments; + * b) libalias returns PKT_ALIAS_IGNORED and + * PKT_ALIAS_DENY_INCOMING flag is set. + */ + if (retval == PKT_ALIAS_ERROR || + (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT || + (retval == PKT_ALIAS_IGNORED && + (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) { /* XXX - should i add some logging? */ m_free(mcl); args->m = NULL; return (IP_FW_DENY); } + + if (retval == PKT_ALIAS_RESPOND) + m->m_flags |= M_SKIP_FIREWALL; mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len); /* Property changes on: sys/contrib/pf ___________________________________________________________________ Modified: svn:mergeinfo Merged /head/sys/contrib/pf:r222806 Property changes on: sys/contrib/dev/acpica ___________________________________________________________________ Modified: svn:mergeinfo Merged /head/sys/contrib/dev/acpica:r222806 Property changes on: sys/cddl/contrib/opensolaris ___________________________________________________________________ Modified: svn:mergeinfo Merged /head/sys/cddl/contrib/opensolaris:r222806 Property changes on: sys/amd64/include/xen ___________________________________________________________________ Modified: svn:mergeinfo Merged /head/sys/amd64/include/xen:r222806 Property changes on: sys ___________________________________________________________________ Modified: svn:mergeinfo Merged /head/sys:r222806 --------------020200020808050701040903-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 11:48:34 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC9561065670; Thu, 6 Oct 2011 11:48:34 +0000 (UTC) (envelope-from oleg@pcbtech.ru) Received: from contrabass.corbina.net (contrabass.post.ru [85.21.78.5]) by mx1.freebsd.org (Postfix) with ESMTP id 3F8CB8FC17; Thu, 6 Oct 2011 11:48:34 +0000 (UTC) Received: from corbina.ru (violin.corbina.net [195.14.50.30]) by contrabass.corbina.net (Postfix) with ESMTP id 91AC8CE56E; Thu, 6 Oct 2011 15:48:31 +0400 (MSD) Received: from [10.200.63.205] (account indeez@post.ru HELO indeez.pcbtech.ru) by fe1-mc.corbina.ru (CommuniGate Pro SMTP 5.4.0) with ESMTPSA id 38680403; Thu, 06 Oct 2011 15:48:31 +0400 Received: from [192.168.0.33] (localhost [127.0.0.1]) by indeez.pcbtech.ru (8.14.4/8.14.4) with ESMTP id p96BmTWo093732; Thu, 6 Oct 2011 15:48:29 +0400 (MSD) (envelope-from oleg@pcbtech.ru) Message-ID: <4E8D958D.8010007@pcbtech.ru> Date: Thu, 06 Oct 2011 15:48:29 +0400 From: Oleg Strizhak User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "Alexander V. Chernikov" References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org> <4E8D860F.2030505@pcbtech.ru> <4E8D8DF2.8060309@yandex-team.ru> In-Reply-To: <4E8D8DF2.8060309@yandex-team.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed X-Virus-Scanned: clamav-milter 0.97.2 at indeez.pcbtech.ru X-Virus-Status: Clean Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by indeez.pcbtech.ru id p96BmTWo093732 Cc: "Andrey V. Elsukov" , freebsd-ipfw@FreeBSD.org Subject: Re: ipfw nat drops icmp packets from localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 11:48:34 -0000 =FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Alexander V. Chernikov! =F7=D9 =D0=C9=D3=C1=CC=C9 06.10.2011 15:16: > On 06.10.2011 14:42, Oleg Strizhak wrote: >> Hello, Andrey V. Elsukov! >> >> You wrote on 06.10.2011 at 13:38: >> >>> On 06.10.2011 12:29, Oleg Strizhak wrote: >>>> After an investigation I've found out a very strange situation >>>> - it seems to me, that ipfw nat drops some (type 11?) icmp >>>> reply packets, whose udp request packets it hasn't >>>> rewritten/seen before, e.g: >>>> >>>> So, I wonder whether someone else has seen the same case under >>>> the similar circumstances? Isn't it a bug within ipfw nat >>>> module and is there any work-around/patch for that? I've surely >>>> googled, but in vain =3D( The only thing, that seems alike to my >>>> problem, is http://www.freebsd.org/cgi/query-pr.cgi?pr=3D129093, >>>> but the patch for 8 branch didn't cure anything =3D( >>> >>> Can you describe how you did apply and test this patch? >> >> in a usual way =3D) Unfortunately, copy-pasted from the mentioned >> above page patch couldn't be applied w/ error: > > svn diff -c 223835 svn://svn.freebsd.org/base/stable/8> ~/r223835.diff > Can you try the patch attached (just to be sure) ? sure, I can =3D) I'll try and then drop you a line about the results. > This is exact situation from this (and some related PRs) and this > revision definitely fixes it. Sounds promising! Hope I've missed or neglected something, and that'd hel= p. > Btw, what is the value of net.inet.ip.fw.one_pass sysctl ? now it's 0. As far as I remember, I've raised one_pass to 1 -- without=20 any effect on the packets filtering (in my case) > Are you sure that ipfw is the single enabled firewall on this machine > ? Are you sure that system is using new kernel ? Just 10 minutes ago I was quite sure in both cases, without any doubt.. Now, as the patch you've sent to me is char-to-char the same as mine... I'll try once more. Thanx for help and directions! WBR, Oleg > !DSPAM:4e8d8e75828882115423180! From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 12:55:33 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F796106566B; Thu, 6 Oct 2011 12:55:33 +0000 (UTC) (envelope-from indeez@pcbtech.ru) Received: from contrabass.corbina.net (contrabass.post.ru [85.21.78.5]) by mx1.freebsd.org (Postfix) with ESMTP id F1E2D8FC14; Thu, 6 Oct 2011 12:55:32 +0000 (UTC) Received: from corbina.ru (violin.corbina.net [195.14.50.30]) by contrabass.corbina.net (Postfix) with ESMTP id 792BCCABCF; Thu, 6 Oct 2011 16:36:00 +0400 (MSD) Received: from [10.200.63.205] (account indeez@post.ru HELO indeez.pcbtech.ru) by fe1-mc.corbina.ru (CommuniGate Pro SMTP 5.4.0) with ESMTPSA id 38691171; Thu, 06 Oct 2011 16:36:00 +0400 Received: from [192.168.0.33] (localhost [127.0.0.1]) by indeez.pcbtech.ru (8.14.4/8.14.4) with ESMTP id p96CZwO1096266; Thu, 6 Oct 2011 16:35:58 +0400 (MSD) (envelope-from indeez@pcbtech.ru) Message-ID: <4E8DA0AE.6060306@pcbtech.ru> Date: Thu, 06 Oct 2011 16:35:58 +0400 From: Oleg Strizhak User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "Alexander V. Chernikov" References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org> <4E8D860F.2030505@pcbtech.ru> <4E8D8DF2.8060309@yandex-team.ru> <4E8D958D.8010007@pcbtech.ru> In-Reply-To: <4E8D958D.8010007@pcbtech.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed X-Virus-Scanned: clamav-milter 0.97.2 at indeez.pcbtech.ru X-Virus-Status: Clean Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by indeez.pcbtech.ru id p96CZwO1096266 X-Mailman-Approved-At: Thu, 06 Oct 2011 16:08:54 +0000 Cc: "Andrey V. Elsukov" , freebsd-ipfw@FreeBSD.org Subject: Re: ipfw nat drops icmp packets from localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 12:55:33 -0000 =FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Alexander V. Chernikov! =F7=D9 =D0=C9=D3=C1=CC=C9 06.10.2011 15:16: >> ... >> svn diff -c 223835 svn://svn.freebsd.org/base/stable/8> ~/r223835.diff >> Can you try the patch attached (just to be sure) ? > > sure, I can =3D) I'll try and then drop you a line about the results. > >> This is exact situation from this (and some related PRs) and this >> revision definitely fixes it. > > Sounds promising! Hope I've missed or neglected something, and that'd h= elp. Thanks for you help once more! Now all goes as it have to; obviously=20 that's my fault on the previous run. I suppose, wrong kernel is the most=20 probable cause of that -- I've upgrade the system at that time. Sorry=20 for wasting your time =3D( But now I wonder why this patch isn't in RELENG_8_2 branch already? As=20 far as I can see it's in RELENG_8 only. The bug seems to be widely=20 occured and easy to catch, especially when moving to ipfw nat from=20 ipfw+natd. WBR, Oleg > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > !DSPAM:4e8d95cf907971471292836!