kern/129093: ipfw nat must not drop packets

Eugen Konkov kes-kes at yandex.ru
Sun Nov 23 08:40:06 PST 2008


>Number:         129093
>Category:       kern
>Synopsis:       ipfw nat must not drop packets
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 23 16:40:05 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eugen Konkov
>Release:        7.1-PRERELEASE
>Organization:
ISP Konkov
>Environment:
home# uname -a
FreeBSD home.kes.net.ua 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #: Sun Nov 23 17:19:12 EET 2008     kes at home.kes.net.ua:/usr/obj/usr/src/sys/KES_KERN_v7  i386

>Description:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            195.5.5.209        UGS         0     3124    ng0
...

When I ping world from LAN all is good, but when I ping world from router I get next picture:

Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:53 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:53 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:54 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:54 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0

It seems packet is droped by NAT. Because of there is no info about outgoing packet and when incoming packet fall into NAT it was droped =(
>How-To-Repeat:
ipfw nat 1 config if ng0 log
01 count log icmp from any to any via ng0
02 nat 1 log ip from 192.168.0.0/16 to any out xmit ng0 #put only packets from LAN
03 nat 1 log ip from any to any in recv ng0
05 count log icmp from any to any via ng0
06 allow ip from any to any

>Fix:
So I need to put packets to NAT even for local generated packets
Work around:
ipfw nat 1 config if ng0 log
00001 count log icmp from any to any via ng0
00002 nat 1 log ip from any to any out xmit ng0 #put to nat packets from me too
00003 nat 1 log ip from any to any in recv ng0
00005 count log icmp from any to any via ng0
00006 allow all from any to any

HOW TO FIX:
Leave packet untouched when NAT do not know how to deel with it.

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list