Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Aug 2004 18:37:39 +0200
From:      Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
To:        darrenr@freebsd.org
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfilter/ipnat 3.4.35 and udp-traceroute problem
Message-ID:  <20040809163739.GA95408@shellma.zin.lublin.pl>
In-Reply-To: <20040805225408.GA70729@shellma.zin.lublin.pl>
References:  <20040805225408.GA70729@shellma.zin.lublin.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Aug 06, 2004 at 12:54:08AM +0200, Pawel Malachowski wrote:

> I can see weird behavior of this command:
> 	traceroute -s privateIP -P UDP dst
> Outgoing UDP packets are translated, ICMP time-exceded message comes back,
> but traceroute shows '* * *'. ;)

v3.4.35 import breaks things on my RELENG_4 box. FYI:

With this ruleset, UDP-traceroute doesn't work (ICMP- works):
map fxp0 172.27.201.1/24 -> public/32 proxy port ftp ftp/tcp
map fxp0 172.27.201.1/24 -> public/32 portmap tcp/udp auto
map fxp0 172.27.201.1/24 -> public/32

% traceroute -s 172.27.201.1 -P udp www.yahoo.com
traceroute to www.yahoo.akadns.net (216.109.118.74) from 172.27.201.1, 64 hops max, 44 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * *^C

% traceroute -s 172.27.201.1 -P icmp www.yahoo.com
traceroute to www.yahoo.akadns.net (216.109.118.79) from 172.27.201.1, 64 hops max, 64 byte packets
[...]
 5  do-war-tr4.tptransit.pl (195.149.232.141)  43.909 ms  36.962 ms  28.713 ms
 6  war-b1-pos14-0.telia.net (213.248.79.13)  32.929 ms  45.965 ms  45.940 ms
 7  hbg-bb2-pos3-2-0.telia.net (213.248.65.33)  41.702 ms  37.646 ms  47.247 ms
 8  kbn-bb2-pos1-2-0.telia.net (213.248.65.126)  45.860 ms  51.259 ms  36.435 ms
 9  nyk-bb2-pos5-0-0.telia.net (213.248.64.34)  138.898 ms  136.887 ms^C

% ipnat -s
mapped  in      246213324       out     246453277
added   6502341 expired 6484448
no memory       0       bad nat 530817
inuse   6210
rules   51
wilds   0



After switching map from /24 to /32, it works just fine:
map fxp0 172.27.201.1/32 -> public/32 proxy port ftp ftp/tcp
map fxp0 172.27.201.1/32 -> public/32 portmap tcp/udp auto
map fxp0 172.27.201.1/32 -> public/32

% traceroute -s 172.27.201.1 -P udp www.yahoo.com
traceroute to www.yahoo.akadns.net (216.109.117.110) from 172.27.201.1, 64 hops max, 44 byte packets
[...]
 5  do-war-tr4.tptransit.pl (195.149.232.141)  27.782 ms  55.108 ms  26.856 ms
 6  war-b1-pos14-0.telia.net (213.248.79.13)  21.830 ms  34.968 ms  20.804 ms
 7  hbg-bb1-pos1-2-0.telia.net (213.248.64.201)  51.748 ms  82.144 ms  74.826 ms
 8  kbn-bb1-pos1-2-0.telia.net (213.248.65.145)  108.766 ms  129.979 ms  77.827 ms
 9  nyk-bb1-pos0-1-0.telia.net (213.248.64.22)  206.748 ms  125.975 ms  125.788 ms 
^C


> Another interesting thing:
> % ipf -V
> ipf: IP Filter: v3.4.31 (336)	<=
> Kernel: IP Filter: v3.4.35
> [...]
> % grep -i ver /usr/src/contrib/ipfilter/ipl.h
> #define IPL_VERSION     "IP Filter: v3.4.31"
> 
> Newer ipl.h sits happily in vendor branch.


regards,
-- 
Paweł Małachowski

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040809163739.GA95408>