Date: Sat, 4 Sep 2004 09:35:34 GMT From: Bokhan Artem <art@academ.org> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/71366: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule) Message-ID: <200409040935.i849ZYYR068675@www.freebsd.org> Resent-Message-ID: <200409040940.i849e97T081827@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 71366
>Category: kern
>Synopsis: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Sep 04 09:40:09 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Bokhan Artem
>Release: 4.10-STABLE
>Organization:
>Environment:
FreeBSD anchor.academ.org 4.10-STABLE FreeBSD 4.10-STABLE #0: Sat Sep 4 13:22:12 NOVST 2004 art@anchor.academ.org:/usr/obj/usr/src/sys/anchor.academ.org i386
>Description:
I have a FreeBSD router, which forwards packets to web-accelerator (squid) using ipfw fwd.
em1 is attached to subnet where web-server and proxy server are located. The rule in firewall is "fwd proxy.host tcp from any to web.host 80 out xmit em1". Nowhere else in firewall rule with "fwd" doesn't exist. But some packets(2-10%), which don't meet this rule, (icmp in example below), with dst ip of web.host are also forwarded to proxy.host! Look an example:
____________________
ping -c 200 81.1.226.245
____________________
tcpdump -e -i em1 -n -c 200 icmp and src host 192.168.234.7 and dst host 81.1.226.245
15:39:56.972906 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:39:57.982569 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:39:58.992741 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:00.002888 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:01.012531 0:4:23:a8:a0:75 0:2:b3:be:cc:7e 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
15:40:02.022757 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:03.032838 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:04.042498 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
00:02:b3:be:ce:37 - mac of web host
00:02:b3:be:cc:7e - mac of proxy host
>How-To-Repeat:
>Fix:
To avoid the problem I use the same rule, but without "out xmit em1"
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409040935.i849ZYYR068675>