misc/162739: ipfw+nat redirect_addr option no longer works (as expected?)

Terrence Koeman terrence at mediamonks.net
Mon Nov 21 22:20:06 UTC 2011 

>Number:         162739
>Category:       misc
>Synopsis:       ipfw+nat redirect_addr option no longer works (as expected?)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 21 22:20:05 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Terrence Koeman
>Release:        8.2-STABLE on 2011.07.10.03.00.00
>Organization:
>Environment:
FreeBSD satanael 8.2-STABLE FreeBSD 8.2-STABLE #30: Mon Nov 21 17:18:52 CET 2011     terrence at satanael:/usr/obj/usr/src/sys/SATANAEL-SMP  amd64

compiled from cvs 2011.07.10.03.00.00
>Description:
I updated a 8-STABLE machine recently (last update february 2011) and noticed that the static NAT translations stopped working.

Relevant ipfw rules:

----
$cmd nat   20 config  ip $outsidenat \
    redirect_addr 172.16.0.70 ext.ext.ext.70 \
    redirect_addr 172.16.0.68 ext.ext.ext.68 \
    redirect_addr 172.16.0.69 ext.ext.ext.69 \
    redirect_addr 172.16.0.71 ext.ext.ext.71 \
    redirect_addr 172.16.0.72 ext.ext.ext.72 \
    redirect_addr 172.16.0.73 ext.ext.ext.73 \
    redirect_addr 172.16.0.74 ext.ext.ext.74 \
    redirect_addr 172.16.0.75 ext.ext.ext.75 \
    redirect_addr 172.16.0.76 ext.ext.ext.76 \
    redirect_addr 172.16.0.77 ext.ext.ext.77 

  $cmd add 00450 nat   20       all  from $insidenet        to not $insidenet       out via $outside

  $cmd add 00500 nat   20       all  from any               to $outsidenet          in  via $outside
----

This makes 172.16.0.70-77 get static nat-ed to ext.ext.ext.70-77 and any other 172.16.0.0/12 to $outsidenat.

This works when I use cvs 2011.07.01.03.00.00, and this stops working when I use 2011.07.10.03.00.00. 

With 'stops working' I mean that clients 172.16.0.70-77 are translated to $outsidenat instead of ext.ext.ext.70-77 as expected. When I remove the general nat IP (ip $outsidenat), translation ceases entirely.

I suspected that svn commit r223872 (http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-July/005776.html) might be the cause and chose the dates accordingly. The problem seems to be caused by this change.
>How-To-Repeat:
Use cvs 2011.07.10.03.00.00, compile,install kernel & world. redirect_addr stops working.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list