From owner-freebsd-current@FreeBSD.ORG Wed Dec 17 18:01:29 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6634106567A; Wed, 17 Dec 2008 18:01:29 +0000 (UTC) (envelope-from prvs=julian=230e6962c@elischer.org) Received: from smtp-outbound.ironport.com (smtp-outbound.ironport.com [63.251.108.112]) by mx1.freebsd.org (Postfix) with ESMTP id 74C088FC35; Wed, 17 Dec 2008 18:01:29 +0000 (UTC) (envelope-from prvs=julian=230e6962c@elischer.org) Received: from unknown (HELO julian-mac.elischer.org) ([10.251.60.86]) by smtp-outbound.ironport.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Dec 2008 09:32:20 -0800 Message-ID: <4949379F.2070105@elischer.org> Date: Wed, 17 Dec 2008 09:32:15 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: Joe Marcus Clarke References: <1229476796.49670.7.camel@shumai.marcuscom.com> <4948C7BE.7070602@oltrelinux.com> <200812171148.38528.zec@icir.org> <49491BFA.5090605@freebsd.org> In-Reply-To: <49491BFA.5090605@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Qing Li , Marko Zec , Kip Macy , freebsd-current@freebsd.org Subject: Re: NAT (ipfw/natd) broken in latest -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2008 18:01:29 -0000 Joe Marcus Clarke wrote: > Marko Zec wrote: >> On Wednesday 17 December 2008 10:34:54 Paolo Pisati wrote: >>> Joe Marcus Clarke wrote: >>>> I just upgraded my i386 -CURRENT box from November 14 to today, and >>>> now my SSH-over-PPP VPN tunnel no longer works. I did some packet >>>> captures, and it appears that NAT is no longer working. If I send >>>> a telnet packet from my client side over the PPP tunnel, I see the >>>> SYN go out on the server side network properly translated. The >>>> destination host ACKs correctly, but the ACK never goes back across >>>> the tunnel. It's as if natd is no longer translating the packet on >>>> the inbound path. Besides the upgrade, nothing has changed in my >>>> environment. >>> lately some work has been done on the vimage and routing tree stuff, >>> thus your best bet is to go back >>> some days and try again. >> Hi Joe, >> >> could you try building your kernel with options VIMAGE_GLOBALS and tell >> us whether this makes any difference - turning on VIMAGE_GLOBALS should >> revert certain aspects of virtualization changes that recently got >> merged into the tree. > > Thanks for the suggestion, but the results are the same. I turned on > -verbose on natd, and I see the ACK packet come back from the > destination, and natd is translating it correctly. However, I never see > the ACK on the remote end of the tunnel. It looks like a routing > problem at this point. It's as if the kernel doesn't know on what > interface to encapsulate the reply packet. the arpv2 changes seem to have somehow changed point-to-point routes so it may be related to that.. I'll wait for Qing or Kmacy to check.... > > Joe > >> Cheers, >> >> Marko >> >> > >