Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 06 Oct 2011 15:48:29 +0400
From:      Oleg Strizhak <>
To:        "Alexander V. Chernikov" <>
Cc:        "Andrey V. Elsukov" <>,
Subject:   Re: ipfw nat drops icmp packets from localhost
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
=FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Alexander V. Chernikov!

=F7=D9 =D0=C9=D3=C1=CC=C9 06.10.2011 15:16:

> On 06.10.2011 14:42, Oleg Strizhak wrote:
>> Hello, Andrey V. Elsukov!
>> You wrote on 06.10.2011 at 13:38:
>>> On 06.10.2011 12:29, Oleg Strizhak wrote:
>>>> After an investigation I've found out a very strange situation
>>>> - it seems to me, that ipfw nat drops some (type 11?) icmp
>>>> reply packets, whose udp request packets it hasn't
>>>> rewritten/seen before, e.g:
>>>> So, I wonder whether someone else has seen the same case under
>>>> the similar circumstances? Isn't it a bug within ipfw nat
>>>> module and is there any work-around/patch for that? I've surely
>>>> googled, but in vain =3D( The only thing, that seems alike to my
>>>> problem, is,
>>>> but the patch for 8 branch didn't cure anything =3D(
>>> Can you describe how you did apply and test this patch?
>> in a usual way =3D) Unfortunately, copy-pasted from the mentioned
>> above page patch couldn't be applied w/ error:
> svn diff -c 223835 svn://>  ~/r223835.diff
> Can you try the patch attached (just to be sure) ?

sure, I can =3D) I'll try and then drop you a line about the results.

> This is exact situation from this (and some related PRs) and this
> revision definitely fixes it.

Sounds promising! Hope I've missed or neglected something, and that'd hel=

> Btw, what is the value of net.inet.ip.fw.one_pass sysctl ?

now it's 0. As far as I remember, I've raised one_pass to 1 -- without=20
any effect on the packets filtering (in my case)

> Are you sure that ipfw is the single enabled firewall on this machine
> ? Are you sure that system is using new kernel ?

Just 10 minutes ago I was quite sure in both cases, without any doubt..
Now, as the patch you've sent to me is char-to-char the same as mine...
I'll try once more.
Thanx for help and directions!


> !DSPAM:4e8d8e75828882115423180!

Want to link to this message? Use this URL: <>