kern/147720: [ipfw] ipfw dynamic rules and fwd

[Vadim Goncharov]

The following reply was made to PR kern/147720; it has been noted by GNATS.

From: Vadim Goncharov <vadim_nuclight at mail.ru>
To: "skeletor at lissyara.su" <skeletor at lissyara.su>
Cc: bug-followup at FreeBSD.org
Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd
Date: Tue, 12 Jul 2011 22:45:47 +0700

 Hi skeletor at lissyara.su! 
 
 On Tue, 21 Jun 2011 07:10:07 GMT; skeletor at lissyara.su <skeletor at lissyara.su> wrote:
 
 >  I tested patch-1.diff and found several problems. When I use 2 channels 
 >  my VPN (I use mpd with connect type pptp) stop working. This problem 
 >  appears not on all servers.
 >  
 >  Here my results of tests:
 >  
 >  1) FreeBSD 8.1 amd64 (VPN server), 2 external real IPs - doesn't work VPN
 >  2) FreeBSD 8.2 i386 , 1 external real IP (second - doesn't real) - 
 >  doesn't work connect on second (not real) IP
 >  3) FreeBSD 8.1 i386 (VPN client), 2 external real IPs - all works fine
 >  4) FreeBSD 8.2 i386 (VPN client), 1 external real IP (second - doesn't 
 >  real) - connect from 2 external IPs works, but doesn't work VPN.
 
 This is not really problem with the patch, as PPTP is using not only TCP
 connection, but also establish a GRE tunnel, independent from that TCP
 connection from the dynamic rules' point of view. There must be something
 tracking packet data payload (e.g. libalias-based NAT engine supports this)
 which will link two connections together.
 
 This message, still, does not provide any useful information even to conclude
 if there some regression with this patch. Personally I think this is the
 architectural problem with PPTP, and patch was just used in a non-appropriate
 conditions, i.e. such configuration should be avoided, and patch itself is OK.
 
 -- 
 WBR, Vadim Goncharov. ICQ#166852181       mailto:vadim_nuclight at mail.ru
 [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]