kern/122109: ipfw nat traceroute problem
Mikhail Dyadchenko
m.dyadchenko at 211.ru
Wed Mar 26 09:50:01 UTC 2008
>Number: 122109
>Category: kern
>Synopsis: ipfw nat traceroute problem
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 26 09:50:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Mikhail Dyadchenko
>Release: 7.0-STABLE
>Organization:
SibSet LTD
>Environment:
FreeBSD lo0.ru 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat Mar 22 12:14:16 NOVT 2008 root at lo0.ru:/usr/obj/usr/src/sys/lo0 amd64
>Description:
Problem in NAT'ing traceroute icmp answers.
traceroute to ya.ru (213.180.204.8), 64 hops max, 52 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * ^C
Tcpdump on interface show icmp packet's to from all hops on trace
Then i put a rule to skipto icmp traffic over nat rules - a got an answer's.
So probably packets drop in kernel libalias or in ipfw nat.
net.inet.ip.fw.one_pass: 0
Problem detect after mirgation from natd + divert.
Traceroute from internal network work's fine.
Kernel compiled after csup src-all
>How-To-Repeat:
nve0 - external interface
ipfw output
ipfw nat 400 config ip xxx.xxx.xxx.xxx same_ports
09500 64 3971 skipto 65000 icmp from any to any
10000 20464225 25206636648 nat 400 ip from 10.1.255.0/28 to any via nve0
10100 13407049 3332989310 nat 400 ip from any to xxx.xxx.xxx.xxx via nve0
10200 30 1200 deny ip from not xxx.xxx.xxx.xxx to any out xmit nve0
65000 181231789 158968737448 allow ip from any to any
Then i remove 09500 rule - icmp packets die on nat rule
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list