From owner-freebsd-current@FreeBSD.ORG Thu Dec 18 22:02:21 2008 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83B901065670 for ; Thu, 18 Dec 2008 22:02:21 +0000 (UTC) (envelope-from marcus@FreeBSD.org) Received: from creme-brulee.marcuscom.com (marcuscom-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::1279]) by mx1.freebsd.org (Postfix) with ESMTP id 4493A8FC12 for ; Thu, 18 Dec 2008 22:02:21 +0000 (UTC) (envelope-from marcus@FreeBSD.org) Received: from [IPv6:2001:470:1f00:2464::4] (shumai.marcuscom.com [IPv6:2001:470:1f00:2464::4]) by creme-brulee.marcuscom.com (8.14.3/8.14.3) with ESMTP id mBIM4YLv056481; Thu, 18 Dec 2008 17:04:34 -0500 (EST) (envelope-from marcus@FreeBSD.org) From: Joe Marcus Clarke To: "Li, Qing" In-Reply-To: References: <1229476796.49670.7.camel@shumai.marcuscom.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-k+RgLGG9o7u5cEn2NoGR" Organization: FreeBSD, Inc. Date: Thu, 18 Dec 2008 17:02:25 -0500 Message-Id: <1229637745.60337.62.camel@shumai.marcuscom.com> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on creme-brulee.marcuscom.com Cc: current Subject: RE: NAT (ipfw/natd) broken in latest -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2008 22:02:21 -0000 --=-k+RgLGG9o7u5cEn2NoGR Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2008-12-18 at 12:53 -0800, Li, Qing wrote: > Hi Joe, >=20 > I have been trying to recreate your problem but my setup seem to > work. I then noticed in your original netstat output the p2p > host route installed by the tunnel interface has the "G" flag > set. This will certainly cause a routing problem because that > route is not an indirect route. I modified the kernel code to simulate > this condition and I do see the error on output, which is expected. >=20 > I assume this problem is consistently reproducible in your setup ? Absolutely. Every time I setup the p2p tunnel with the non-proxy ARP address range. Traffic flows outbound, but never inbound. Your analysis sounds correct. The kernel doesn't know the interface on which to encapsulate the return traffic. Joe >=20 > -- Qing >=20 >=20 > > -----Original Message----- > > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > > current@freebsd.org] On Behalf Of Joe Marcus Clarke > > Sent: Tuesday, December 16, 2008 5:20 PM > > To: current > > Subject: NAT (ipfw/natd) broken in latest -CURRENT > >=20 > > I just upgraded my i386 -CURRENT box from November 14 to today, and > now > > my SSH-over-PPP VPN tunnel no longer works. I did some packet > captures, > > and it appears that NAT is no longer working. If I send a telnet > > packet > > from my client side over the PPP tunnel, I see the SYN go out on the > > server side network properly translated. The destination host ACKs > > correctly, but the ACK never goes back across the tunnel. It's as if > > natd is no longer translating the packet on the inbound path. Besides > > the upgrade, nothing has changed in my environment. > >=20 > > My ipfw show looks like: > >=20 > > 00050 22974 4677637 divert 8668 ip4 from any to any via em0 > > 00100 194 20696 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 65000 24714 4934785 allow ip from any to any > > 65535 5 396 deny ip from any to any > >=20 > > I am running natd as: > >=20 > > /sbin/natd -s -m -skinny_port 2000 -n em0 > >=20 > > The ifconfig for my tunnel interface is: > >=20 > > tun0: flags=3D8051 metric 0 mtu 1300 > > inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00 > > inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5 > > Opened by PID 8018 > >=20 > > My netstat on the server side looks like: > >=20 > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire > > default 172.18.254.1 UGS 0 46685 em0 > > 10.1.1.76 link#5 UGH 0 1735 tun0 > > 127.0.0.1 link#3 UH 0 1171 lo0 > > 172.18.254.0/24 link#1 U 0 0 em0 > > 172.18.254.237/32 link#1 U 0 8 em0 > >=20 > > The server's uname is: > >=20 > > FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT #130: Tue > > Dec 16 15:42:09 EST 2008 > > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC i386 > >=20 > > The previous, working uname was: > >=20 > > FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008 > > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC > >=20 > > Joe > >=20 > > -- > > Joe Marcus Clarke > > FreeBSD GNOME Team :: gnome@FreeBSD.org > > FreeNode / #freebsd-gnome > > http://www.FreeBSD.org/gnome >=20 --=20 Joe Marcus Clarke FreeBSD GNOME Team :: gnome@FreeBSD.org FreeNode / #freebsd-gnome http://www.FreeBSD.org/gnome --=-k+RgLGG9o7u5cEn2NoGR Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEABECAAYFAklKyHAACgkQb2iPiv4Uz4dU2ACgjrkLx48I3Y66Ze30mmpj7kf5 ynIAoIj2E/tsj4MMbZg6ZMNeXB5UOV1Y =mvTN -----END PGP SIGNATURE----- --=-k+RgLGG9o7u5cEn2NoGR--