kern/149572: ipfw kernel nat not working properly
Alexander Apanasenko
apanasis at mail.ru
Thu Aug 12 11:20:02 UTC 2010
>Number: 149572
>Category: kern
>Synopsis: ipfw kernel nat not working properly
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 12 11:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Alexander Apanasenko
>Release: 8.1-RELEASE
>Organization:
>Environment:
FreeBSD gate100.bis 8.1-RELEASE FreeBSD 8.1-RELEASE #1: Tue Aug 10 11:25:07 MSD 2010 apanas at gate100.bis:/usr/obj/usr/src/sys/GATE i386
>Description:
After upgrade from 8.0-RELEASE to 8.1-RELEASE in IPFW kernel nat rules not working.
Config nat in ipfw is:
ipfw nat 1 config if fxp2 log deny_in same_ports reset
rules:
...
20700 nat 1 ip from any to any via fxp2
29900 deny ip from any to any
sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 1
fxp2 is external interface.
In 8.0 release these rules work fine,
20700 12221 1314739 nat 1 ip from any to any via fxp2
29900 0 0 deny ip from any to any
but in 8.1 all packets matched with rule 20700 not leave firewall
and continue move to rule 29900
20700 0 5847 nat 1 ip from any to any via fxp2
29900 0 6023 deny ip from any to any
>How-To-Repeat:
On 8.1-RELEASE system with kernel ipfw options
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options IPDIVERT
options DUMMYNET
options LIBALIAS
and sysctl net.inet.ip.fw.one_pass=1
do:
ipfw add allow ip from any to any via int_iface
ipfw add nat 1 ip from any to any via ext_iface
ipfw nat 1 config if ext_iface same_ports
ipfw add deny ip from any to any
and you can see that all packets after aliasing on nat 1 rule go to deny rule.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list