From owner-freebsd-current@FreeBSD.ORG Wed Dec 17 18:07:59 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD4A31065676; Wed, 17 Dec 2008 18:07:59 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by mx1.freebsd.org (Postfix) with ESMTP id B80E38FC1C; Wed, 17 Dec 2008 18:07:59 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from bcs-mail03.internal.cacheflow.com ([10.2.2.95]) by whisker.bluecoat.com (8.14.2/8.14.2) with ESMTP id mBHI7wn7012492; Wed, 17 Dec 2008 10:07:58 -0800 (PST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 17 Dec 2008 10:08:02 -0800 Message-ID: In-Reply-To: <4949379F.2070105@elischer.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: NAT (ipfw/natd) broken in latest -CURRENT Thread-Index: AclgcYyD8KZdKxdIQCWqUAzKcHQTBgAAIkXg References: <1229476796.49670.7.camel@shumai.marcuscom.com> <4948C7BE.7070602@oltrelinux.com><200812171148.38528.zec@icir.org> <49491BFA.5090605@freebsd.org> <4949379F.2070105@elischer.org> From: "Li, Qing" To: "Julian Elischer" , "Joe Marcus Clarke" Cc: Qing Li , Marko Zec , Kip Macy , freebsd-current@freebsd.org Subject: RE: NAT (ipfw/natd) broken in latest -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2008 18:07:59 -0000 Yes, it appears to be arp-v2 related changes. I am suspecting the p2p=20 link type and the fact the tunnel end points appear to be on-link with=20 each other might be the problem. I am investigating the problem right now ... --Qing > -----Original Message----- > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > current@freebsd.org] On Behalf Of Julian Elischer > Sent: Wednesday, December 17, 2008 9:32 AM > To: Joe Marcus Clarke > Cc: Qing Li; Marko Zec; Kip Macy; freebsd-current@freebsd.org > Subject: Re: NAT (ipfw/natd) broken in latest -CURRENT >=20 > Joe Marcus Clarke wrote: > > Marko Zec wrote: > >> On Wednesday 17 December 2008 10:34:54 Paolo Pisati wrote: > >>> Joe Marcus Clarke wrote: > >>>> I just upgraded my i386 -CURRENT box from November 14 to today, > and > >>>> now my SSH-over-PPP VPN tunnel no longer works. I did some packet > >>>> captures, and it appears that NAT is no longer working. If I send > >>>> a telnet packet from my client side over the PPP tunnel, I see the > >>>> SYN go out on the server side network properly translated. The > >>>> destination host ACKs correctly, but the ACK never goes back > across > >>>> the tunnel. It's as if natd is no longer translating the packet > on > >>>> the inbound path. Besides the upgrade, nothing has changed in my > >>>> environment. > >>> lately some work has been done on the vimage and routing tree stuff, > >>> thus your best bet is to go back > >>> some days and try again. > >> Hi Joe, > >> > >> could you try building your kernel with options VIMAGE_GLOBALS and > tell > >> us whether this makes any difference - turning on VIMAGE_GLOBALS > should > >> revert certain aspects of virtualization changes that recently got > >> merged into the tree. > > > > Thanks for the suggestion, but the results are the same. I turned on > > -verbose on natd, and I see the ACK packet come back from the > > destination, and natd is translating it correctly. However, I never > see > > the ACK on the remote end of the tunnel. It looks like a routing > > problem at this point. It's as if the kernel doesn't know on what > > interface to encapsulate the reply packet. >=20 > the arpv2 changes seem to have somehow changed point-to-point routes > so it may be related to that.. > I'll wait for Qing or Kmacy to check.... >=20 >=20 > > > > Joe > > > >> Cheers, > >> > >> Marko > >> > >> > > > > >=20 > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current- > unsubscribe@freebsd.org"