kern/129093: ipfw nat must not drop packets
Eugen Konkov
kes-kes at yandex.ru
Sun Nov 23 08:40:06 PST 2008
>Number: 129093
>Category: kern
>Synopsis: ipfw nat must not drop packets
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Nov 23 16:40:05 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eugen Konkov
>Release: 7.1-PRERELEASE
>Organization:
ISP Konkov
>Environment:
home# uname -a
FreeBSD home.kes.net.ua 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #: Sun Nov 23 17:19:12 EET 2008 kes at home.kes.net.ua:/usr/obj/usr/src/sys/KES_KERN_v7 i386
>Description:
Destination Gateway Flags Refs Use Netif Expire
default 195.5.5.209 UGS 0 3124 ng0
...
When I ping world from LAN all is good, but when I ping world from router I get next picture:
Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:53 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:53 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:54 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:54 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
It seems packet is droped by NAT. Because of there is no info about outgoing packet and when incoming packet fall into NAT it was droped =(
>How-To-Repeat:
ipfw nat 1 config if ng0 log
01 count log icmp from any to any via ng0
02 nat 1 log ip from 192.168.0.0/16 to any out xmit ng0 #put only packets from LAN
03 nat 1 log ip from any to any in recv ng0
05 count log icmp from any to any via ng0
06 allow ip from any to any
>Fix:
So I need to put packets to NAT even for local generated packets
Work around:
ipfw nat 1 config if ng0 log
00001 count log icmp from any to any via ng0
00002 nat 1 log ip from any to any out xmit ng0 #put to nat packets from me too
00003 nat 1 log ip from any to any in recv ng0
00005 count log icmp from any to any via ng0
00006 allow all from any to any
HOW TO FIX:
Leave packet untouched when NAT do not know how to deel with it.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list