Date: Thu, 06 Oct 2011 15:14:15 +0400 From: Oleg Strizhak <oleg@pcbtech.ru> To: "Andrey V. Elsukov" <ae@FreeBSD.org> Cc: freebsd-ipfw@FreeBSD.org, "Alexander V. Chernikov" <melifaro@FreeBSD.org> Subject: Re: ipfw nat drops icmp packets from localhost [patch attached] Message-ID: <4E8D8D87.2060900@pcbtech.ru> In-Reply-To: <4E8D7728.6050608@FreeBSD.org> References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------040904070501070904030704 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by indeez.pcbtech.ru id p96BEFNh091920 =FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Andrey V. Elsukov! =F7=D9 =D0=C9=D3=C1=CC=C9 06.10.2011 13:38: > On 06.10.2011 12:29, Oleg Strizhak wrote: >> After an investigation I've found out a very strange situation - it se= ems to me, that ipfw nat drops >> some (type 11?) icmp reply packets, whose udp request packets it hasn'= t rewritten/seen before, e.g: >> >> So, I wonder whether someone else has seen the same case under the sim= ilar circumstances? Isn't it a >> bug within ipfw nat module and is there any work-around/patch for that= ? I've surely googled, but in >> vain =3D( The only thing, that seems alike to my problem, is >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D129093, but the patch for= 8 branch didn't cure anything =3D( > > Can you describe how you did apply and test this patch? I beg your pardon: in my previous reply I forgot to attach my patch.=20 Here it is WBR, Oleg --------------040904070501070904030704 Content-Type: text/plain; name="ip_fw_nat.patch.my" Content-Disposition: attachment; filename="ip_fw_nat.patch.my" Content-Transfer-Encoding: 7bit --- ip_fw_nat.c.orig 2010-12-21 20:09:25.000000000 +0300 +++ ip_fw_nat.c 2011-10-04 14:27:02.000000000 +0400 @@ -263,17 +263,27 @@ else retval = LibAliasOut(t->lib, c, mcl->m_len + M_TRAILINGSPACE(mcl)); - if (retval == PKT_ALIAS_RESPOND) { - m->m_flags |= M_SKIP_FIREWALL; - retval = PKT_ALIAS_OK; - } - if (retval != PKT_ALIAS_OK && - retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) { + + /* + * We drop packet when: + * 1. libalias returns PKT_ALIAS_ERROR; + * 2. For incoming packets: + * a) for unresolved fragments; + * b) libalias returns PKT_ALIAS_IGNORED and + * PKT_ALIAS_DENY_INCOMING flag is set. + */ + if (retval == PKT_ALIAS_ERROR || + (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT || + (retval == PKT_ALIAS_IGNORED && + (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) { /* XXX - should i add some logging? */ m_free(mcl); args->m = NULL; return (IP_FW_DENY); } + + if (retval == PKT_ALIAS_RESPOND) + m->m_flags |= M_SKIP_FIREWALL; mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len); /* --------------040904070501070904030704--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E8D8D87.2060900>