From owner-freebsd-current@FreeBSD.ORG Fri Dec 19 02:00:38 2008 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 218531065670 for ; Fri, 19 Dec 2008 02:00:38 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by mx1.freebsd.org (Postfix) with ESMTP id 04BCA8FC18 for ; Fri, 19 Dec 2008 02:00:37 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from bcs-mail03.internal.cacheflow.com ([10.2.2.95]) by whisker.bluecoat.com (8.14.2/8.14.2) with ESMTP id mBJ20bAQ000641; Thu, 18 Dec 2008 18:00:37 -0800 (PST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 18 Dec 2008 18:00:47 -0800 Message-ID: In-Reply-To: <200812190246.36582.max@love2party.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: NAT (ipfw/natd) broken in latest -CURRENT Thread-Index: Aclhe6KKC5/ON8HVR4CRdjw3HZYyUQAAW6wQ References: <1229476796.49670.7.camel@shumai.marcuscom.com> <1229637745.60337.62.camel@shumai.marcuscom.com> <200812190246.36582.max@love2party.net> From: "Li, Qing" To: "Max Laier" , "Denis Mysenko" Cc: current Subject: RE: NAT (ipfw/natd) broken in latest -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 02:00:38 -0000 I did not notice that thread on net@, but now that you've mentioned it,=20 the original description appears to be very similar to what I was observing in the NAT/VPN case. Please let me know if this patch does the right thing for you. --Qing > -----Original Message----- > From: Max Laier [mailto:max@love2party.net] > Sent: Thursday, December 18, 2008 5:47 PM > To: freebsd-current@freebsd.org; Denis Mysenko > Cc: Li, Qing > Subject: Re: NAT (ipfw/natd) broken in latest -CURRENT >=20 > On Friday 19 December 2008 02:41:02 Li, Qing wrote: > > I have checked in a fix for this issue (r186308), which turned out to > > be a problem in the ppp module. The ppp module updates the p2p host > > route that was installed during the tunnel configuration, however, > the > > ppp code always set the RTF_GATEWAY flag. The patch has been verified > to > > be working by Joe. > > > > Please let me know if you run into any other issue. >=20 > There has been a similar report in freebsd-net@ just recently, OP CC'ed. > Denis, can you check if the fix quoted above fixes your problem? >=20 > > Thanks, > > > > -- Qing > > > > > -----Original Message----- > > > From: Joe Marcus Clarke [mailto:marcus@freebsd.org] > > > Sent: Thursday, December 18, 2008 2:02 PM > > > To: Li, Qing > > > Cc: current > > > Subject: RE: NAT (ipfw/natd) broken in latest -CURRENT > > > > > > On Thu, 2008-12-18 at 12:53 -0800, Li, Qing wrote: > > > > Hi Joe, > > > > > > > > I have been trying to recreate your problem but my setup seem to > > > > work. I then noticed in your original netstat output the p2p > > > > host route installed by the tunnel interface has the "G" flag > > > > set. This will certainly cause a routing problem because that > > > > route is not an indirect route. I modified the kernel code to > > > > > > simulate > > > > > > > this condition and I do see the error on output, which is > expected. > > > > > > > > I assume this problem is consistently reproducible in your setup ? > > > > > > Absolutely. Every time I setup the p2p tunnel with the non-proxy > ARP > > > address range. Traffic flows outbound, but never inbound. Your > > > analysis sounds correct. The kernel doesn't know the interface on > > > which > > > to encapsulate the return traffic. > > > > > > Joe > > > > > > > -- Qing > > > > > > > > > -----Original Message----- > > > > > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > > > > > current@freebsd.org] On Behalf Of Joe Marcus Clarke > > > > > Sent: Tuesday, December 16, 2008 5:20 PM > > > > > To: current > > > > > Subject: NAT (ipfw/natd) broken in latest -CURRENT > > > > > > > > > > I just upgraded my i386 -CURRENT box from November 14 to today, > > > > and > > > > > > now > > > > > > > > > my SSH-over-PPP VPN tunnel no longer works. I did some packet > > > > > > > > captures, > > > > > > > > > and it appears that NAT is no longer working. If I send a > telnet > > > > > packet > > > > > from my client side over the PPP tunnel, I see the SYN go out > on > > > > > > the > > > > > > > > server side network properly translated. The destination host > > > > ACKs > > > > > > > correctly, but the ACK never goes back across the tunnel. It's > as > > > > > > if > > > > > > > > natd is no longer translating the packet on the inbound path. > > > > > > Besides > > > > > > > > the upgrade, nothing has changed in my environment. > > > > > > > > > > My ipfw show looks like: > > > > > > > > > > 00050 22974 4677637 divert 8668 ip4 from any to any via em0 > > > > > 00100 194 20696 allow ip from any to any via lo0 > > > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > > > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > > > > 65000 24714 4934785 allow ip from any to any > > > > > 65535 5 396 deny ip from any to any > > > > > > > > > > I am running natd as: > > > > > > > > > > /sbin/natd -s -m -skinny_port 2000 -n em0 > > > > > > > > > > The ifconfig for my tunnel interface is: > > > > > > > > > > tun0: flags=3D8051 metric 0 mtu > > > > > > 1300 > > > > > > > > inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00 > > > > > inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid > 0x5 > > > > > Opened by PID 8018 > > > > > > > > > > My netstat on the server side looks like: > > > > > > > > > > Internet: > > > > > Destination Gateway Flags Refs Use > > > > Netif > > > > > > > Expire > > > > > default 172.18.254.1 UGS 0 46685 > > > > em0 > > > > > > > 10.1.1.76 link#5 UGH 0 1735 > > > > tun0 > > > > > > > 127.0.0.1 link#3 UH 0 1171 > > > > lo0 > > > > > > > 172.18.254.0/24 link#1 U 0 0 > > > > em0 > > > > > > > 172.18.254.237/32 link#1 U 0 8 > > > > em0 > > > > > > > The server's uname is: > > > > > > > > > > FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT > #130: > > > > > > Tue > > > > > > > > Dec 16 15:42:09 EST 2008 > > > > > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC > i386 > > > > > > > > > > The previous, working uname was: > > > > > > > > > > FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008 > > > > > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC > > > > > > > > > > Joe > > > > > > > > > > -- > > > > > Joe Marcus Clarke > > > > > FreeBSD GNOME Team :: gnome@FreeBSD.org > > > > > FreeNode / #freebsd-gnome > > > > > http://www.FreeBSD.org/gnome > > > > > > -- > > > Joe Marcus Clarke > > > FreeBSD GNOME Team :: gnome@FreeBSD.org > > > FreeNode / #freebsd-gnome > > > http://www.FreeBSD.org/gnome > > > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current- > unsubscribe@freebsd.org" >=20 > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News