From owner-freebsd-current@FreeBSD.ORG Sat Dec 26 22:06:38 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42228106566B; Sat, 26 Dec 2009 22:06:38 +0000 (UTC) (envelope-from marcus@creme-brulee.marcuscom.com) Received: from creme-brulee.marcuscom.com (marcuscom-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::1279]) by mx1.freebsd.org (Postfix) with ESMTP id 7F58B8FC12; Sat, 26 Dec 2009 22:06:37 +0000 (UTC) Received: from creme-brulee.marcuscom.com (localhost.marcuscom.com [127.0.0.1]) by creme-brulee.marcuscom.com (8.14.3/8.14.3) with ESMTP id nBQM6rOd087033; Sat, 26 Dec 2009 17:06:53 -0500 (EST) (envelope-from marcus@creme-brulee.marcuscom.com) Received: from localhost (marcus@localhost) by creme-brulee.marcuscom.com (8.14.3/8.14.3/Submit) with ESMTP id nBQM6mpZ087030; Sat, 26 Dec 2009 17:06:48 -0500 (EST) (envelope-from marcus@creme-brulee.marcuscom.com) Date: Sat, 26 Dec 2009 17:06:48 -0500 (EST) From: Joe Marcus Clarke To: Luigi Rizzo In-Reply-To: <20091226212104.GA10498@onelab2.iet.unipi.it> Message-ID: References: <1261859138.1555.26.camel@shumai.marcuscom.com> <20091226212104.GA10498@onelab2.iet.unipi.it> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on creme-brulee.marcuscom.com Cc: luigi@freebsd.org, FreeBSD Current Subject: Re: NAT broken in -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 22:06:38 -0000 PGP Key : http://www.marcuscom.com/pgp.asc On Sat, 26 Dec 2009, Luigi Rizzo wrote: > On Sat, Dec 26, 2009 at 03:25:38PM -0500, Joe Marcus Clarke wrote: > ... >> I updated my -CURRENT box yesterday. After a reboot, NAT no longer >> works. That is, if I have natd running with ipfw diverting packets to >> it, the box is a big black hole. No packets leave. I do see all > ... >> I have a feeling the new ipfw code merged ~ 11 days ago is the cause of >> the problem. Thinking that perhaps the new modularity is causing this >> problem, I also added the following two options to my kernel: >> >> options IPFIREWALL_NAT >> options LIBALIAS >> >> They did not help. I have not tried using a purely modular ipfw/NAT >> combination, but I will attempt that later today. I didn't see anything >> obvious in UPDATING. Any suggestions, or any recommendations for >> specific troubleshooting data to capture? Thanks. > > the changes were not expected to affect configuration or operation > so clearly i must have broken something in the reinjection process. > If you have a chance of looking at the ipfw counters (to see whether > packets are reinjected and where they end up) that would be helpful. > I'll try to run some tests here tomorrow or more likely on monday. The packets appear to be looping to the divert socket. The ipfw counters show the divert rule is growing exponentially where as the other rules have virtually no packet matches. This is just after a few seconds of uptime: 00050 5758974 420333325 divert 8668 ip4 from any to any via 172.18.254.236 00100 8 480 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 12 1032 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65000 0 0 allow ip from any to any 65535 14 1056 deny ip from any to any Joe > > cheers > luigi > >