Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 06 Oct 2011 15:16:02 +0400
From:      "Alexander V. Chernikov" <melifaro@yandex-team.ru>
To:        Oleg Strizhak <oleg@pcbtech.ru>
Cc:        "Andrey V. Elsukov" <ae@FreeBSD.org>, melifaro@FreeBSD.org, freebsd-ipfw@FreeBSD.org
Subject:   Re: ipfw nat drops icmp packets from localhost
Message-ID:  <4E8D8DF2.8060309@yandex-team.ru>
In-Reply-To: <4E8D860F.2030505@pcbtech.ru>
References:  <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org> <4E8D860F.2030505@pcbtech.ru>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is a multi-part message in MIME format.
--------------020200020808050701040903
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 7bit

On 06.10.2011 14:42, Oleg Strizhak wrote:
> Hello, Andrey V. Elsukov!
> 
> You wrote on 06.10.2011 at 13:38:
> 
>> On 06.10.2011 12:29, Oleg Strizhak wrote:
>>> After an investigation I've found out a very strange situation - it
>>> seems to me, that ipfw nat drops
>>> some (type 11?) icmp reply packets, whose udp request packets it
>>> hasn't rewritten/seen before, e.g:
>>>
>>> So, I wonder whether someone else has seen the same case under the
>>> similar circumstances? Isn't it a
>>> bug within ipfw nat module and is there any work-around/patch for
>>> that? I've surely googled, but in
>>> vain =( The only thing, that seems alike to my problem, is
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=129093, but the patch for
>>> 8 branch didn't cure anything =(
>>
>> Can you describe how you did apply and test this patch?
> 
> in a usual way =) Unfortunately, copy-pasted from the mentioned above
> page patch couldn't be applied w/ error:

svn diff -c 223835 svn://svn.freebsd.org/base/stable/8 > ~/r223835.diff
Can you try the patch attached (just to be sure) ?

This is exact situation from this (and some related PRs) and this
revision definitely fixes it.

Btw, what is the value of net.inet.ip.fw.one_pass sysctl ?
Are you sure that ipfw is the single enabled firewall on this machine ?
Are you sure that system is using new kernel ?


> 
>> $ patch < ~/ip_fw_nat.patch
>> Hmm...  Looks like a unified diff to me...
>> The text leading up to this was:
>> --------------------------
>> |--- stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 08:33:58
>> 2011 (r223834)
>> |+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 09:29:11
>> 2011 (r223835)
>> --------------------------
>> Patching file ip_fw_nat.c using Plan A...
>> patch: **** malformed patch at line 4: else
> 
> the same results were obtained with combinations of -p5 -l and tail +2
> ~/ip_fw_nat.patch options & commands
> Finally, I modified the patch (which applies w/o a word =) a little bit
> w/o any difference to the original one:
> 
>>  $ /usr/bin/diff -wBbu3 ~/ip_fw_nat.patch ~/ip_fw_nat.patch.my
>> --- /root/ip_fw_nat.patch       2011-10-04 14:08:32.000000000 +0400
>> +++ /root/ip_fw_nat.patch.my    2011-10-04 14:29:53.000000000 +0400
>> @@ -1,5 +1,5 @@
>> ---- stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 08:33:58
>> 2011 (r223834)
>> -+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c      Thu Jul 7 09:29:11
>> 2011 (r223835)
>> +--- ip_fw_nat.c.orig   2010-12-21 20:09:25.000000000 +0300
>> ++++ ip_fw_nat.c        2011-10-04 14:27:02.000000000 +0400
>>  @@ -263,17 +263,27 @@
>>  else
>>  retval = LibAliasOut(t->lib, c,
> 
> then I recompiled the kernel, rebooted server and.. all is just the same =(
> 
> WBR,
> Oleg
> 


--------------020200020808050701040903
Content-Type: text/plain;
 name="r223835.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="r223835.diff"

Index: sys/netinet/ipfw/ip_fw_nat.c
===================================================================
--- sys/netinet/ipfw/ip_fw_nat.c	(revision 223834)
+++ sys/netinet/ipfw/ip_fw_nat.c	(revision 223835)
@@ -263,17 +263,27 @@
 	else
 		retval = LibAliasOut(t->lib, c,
 			mcl->m_len + M_TRAILINGSPACE(mcl));
-	if (retval == PKT_ALIAS_RESPOND) {
-		m->m_flags |= M_SKIP_FIREWALL;
-		retval = PKT_ALIAS_OK;
-	}
-	if (retval != PKT_ALIAS_OK &&
-	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+	/*
+	 * We drop packet when:
+	 * 1. libalias returns PKT_ALIAS_ERROR;
+	 * 2. For incoming packets:
+	 *	a) for unresolved fragments;
+	 *	b) libalias returns PKT_ALIAS_IGNORED and
+	 *		PKT_ALIAS_DENY_INCOMING flag is set.
+	 */
+	if (retval == PKT_ALIAS_ERROR ||
+	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+	    (retval == PKT_ALIAS_IGNORED &&
+	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
 		/* XXX - should i add some logging? */
 		m_free(mcl);
 		args->m = NULL;
 		return (IP_FW_DENY);
 	}
+
+	if (retval == PKT_ALIAS_RESPOND)
+		m->m_flags |= M_SKIP_FIREWALL;
 	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
 
 	/*

Property changes on: sys/contrib/pf
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/contrib/pf:r222806


Property changes on: sys/contrib/dev/acpica
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/contrib/dev/acpica:r222806


Property changes on: sys/cddl/contrib/opensolaris
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/cddl/contrib/opensolaris:r222806


Property changes on: sys/amd64/include/xen
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys/amd64/include/xen:r222806


Property changes on: sys
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /head/sys:r222806


--------------020200020808050701040903--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4E8D8DF2.8060309>