From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 11:48:34 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC9561065670; Thu, 6 Oct 2011 11:48:34 +0000 (UTC) (envelope-from oleg@pcbtech.ru) Received: from contrabass.corbina.net (contrabass.post.ru [85.21.78.5]) by mx1.freebsd.org (Postfix) with ESMTP id 3F8CB8FC17; Thu, 6 Oct 2011 11:48:34 +0000 (UTC) Received: from corbina.ru (violin.corbina.net [195.14.50.30]) by contrabass.corbina.net (Postfix) with ESMTP id 91AC8CE56E; Thu, 6 Oct 2011 15:48:31 +0400 (MSD) Received: from [10.200.63.205] (account indeez@post.ru HELO indeez.pcbtech.ru) by fe1-mc.corbina.ru (CommuniGate Pro SMTP 5.4.0) with ESMTPSA id 38680403; Thu, 06 Oct 2011 15:48:31 +0400 Received: from [192.168.0.33] (localhost [127.0.0.1]) by indeez.pcbtech.ru (8.14.4/8.14.4) with ESMTP id p96BmTWo093732; Thu, 6 Oct 2011 15:48:29 +0400 (MSD) (envelope-from oleg@pcbtech.ru) Message-ID: <4E8D958D.8010007@pcbtech.ru> Date: Thu, 06 Oct 2011 15:48:29 +0400 From: Oleg Strizhak User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: "Alexander V. Chernikov" References: <4E8D6702.9070707@pcbtech.ru> <4E8D7728.6050608@FreeBSD.org> <4E8D860F.2030505@pcbtech.ru> <4E8D8DF2.8060309@yandex-team.ru> In-Reply-To: <4E8D8DF2.8060309@yandex-team.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed X-Virus-Scanned: clamav-milter 0.97.2 at indeez.pcbtech.ru X-Virus-Status: Clean Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by indeez.pcbtech.ru id p96BmTWo093732 Cc: "Andrey V. Elsukov" , freebsd-ipfw@FreeBSD.org Subject: Re: ipfw nat drops icmp packets from localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2011 11:48:34 -0000 =FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5, Alexander V. Chernikov! =F7=D9 =D0=C9=D3=C1=CC=C9 06.10.2011 15:16: > On 06.10.2011 14:42, Oleg Strizhak wrote: >> Hello, Andrey V. Elsukov! >> >> You wrote on 06.10.2011 at 13:38: >> >>> On 06.10.2011 12:29, Oleg Strizhak wrote: >>>> After an investigation I've found out a very strange situation >>>> - it seems to me, that ipfw nat drops some (type 11?) icmp >>>> reply packets, whose udp request packets it hasn't >>>> rewritten/seen before, e.g: >>>> >>>> So, I wonder whether someone else has seen the same case under >>>> the similar circumstances? Isn't it a bug within ipfw nat >>>> module and is there any work-around/patch for that? I've surely >>>> googled, but in vain =3D( The only thing, that seems alike to my >>>> problem, is http://www.freebsd.org/cgi/query-pr.cgi?pr=3D129093, >>>> but the patch for 8 branch didn't cure anything =3D( >>> >>> Can you describe how you did apply and test this patch? >> >> in a usual way =3D) Unfortunately, copy-pasted from the mentioned >> above page patch couldn't be applied w/ error: > > svn diff -c 223835 svn://svn.freebsd.org/base/stable/8> ~/r223835.diff > Can you try the patch attached (just to be sure) ? sure, I can =3D) I'll try and then drop you a line about the results. > This is exact situation from this (and some related PRs) and this > revision definitely fixes it. Sounds promising! Hope I've missed or neglected something, and that'd hel= p. > Btw, what is the value of net.inet.ip.fw.one_pass sysctl ? now it's 0. As far as I remember, I've raised one_pass to 1 -- without=20 any effect on the packets filtering (in my case) > Are you sure that ipfw is the single enabled firewall on this machine > ? Are you sure that system is using new kernel ? Just 10 minutes ago I was quite sure in both cases, without any doubt.. Now, as the patch you've sent to me is char-to-char the same as mine... I'll try once more. Thanx for help and directions! WBR, Oleg > !DSPAM:4e8d8e75828882115423180!