kern/76539: ipnat + dummynet on output on same interface broken
Damien Mercier
damien.mercier at grosmi.net
Fri Jan 21 09:20:34 PST 2005
>Number: 76539
>Category: kern
>Synopsis: ipnat + dummynet on output on same interface broken
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 21 17:20:33 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Damien Mercier
>Release: 5.3-RELEASE-p8
>Organization:
>Environment:
FreeBSD test.grosmi.net 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #1: Fri Jan 21 17:35:16 CET 2005 root at test.grosmi.net:/usr/src/sys/i386/compile/FW3TEST i386
>Description:
This is really similar to kern/61685.
When ipnat and dummynet are configured on the same interface on output, the packet comming out of dummynet goes through ipnat a second time. If the dummynet ipfw rule is replaced by a simple pass rule, everything works correctly.
>How-To-Repeat:
Configure ipnat and dummynet on the same output interface for the same packets going out. Try to send a packet that match those rules, and notice that you cannot establish a connection. Then ipnat -l shows that the packet is nat-ed twice.
Moreover if there are some ipf rules that should let the packet pass before the nat rule, but not after nat, ipf blocks the packet comming out of the dummynet (it is already nat-ed, and should go out directly).
On the test setup, there are also redirect rules on the input side, and the first attempt (on freebsd 4.x) hit the kern/61685 problem :(
>Fix:
In netinet/ip_dummynet.c add around line 454 :
switch (pkt->dn_dir) {
case DN_TO_IP_OUT:
+ m->m_flags |= M_SKIP_FIREWALL;
(void)ip_output(m, NULL, NULL, pkt->flags, NULL. NULL);
In netinet/ip_output.c, add around line 660 :
if (inet_pfil_hook.ph_busy_count == -1)
goto passout;
+ if (m->m_flags & M_SKIP_FIREWALL)
+ goto passout;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list