[Bug 213154] ipfw nat single pass with ipfw netgraph multi pass

Sun Oct 2 05:06:56 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213154

            Bug ID: 213154
           Summary: ipfw nat single pass with ipfw netgraph multi pass
           Product: Base System
           Version: 11.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: avernar at gmail.com

Created attachment 175361
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=175361&action=edit
Proposed patch

It is very difficult to get ipfw nat to work with stateful firewall (keep-state
and check-state) in multi pass mode.  The issue is that the state rules have to
come after the nat rules.  This makes keep-state see the external IP while
check-state sees the internal IP and it doesn't work.  Easier just to use
single pass.

Unfortunately you can't use single pass with certain netgraph nodes like
tcpmss.  The packets need to come back.

So I propose we add an additional net.inet.ip.fw.one_pass_nat knob to enable
one pass nat when net.inet.ip.fw.one_pass is set to 0 for netgraph, pipes and
queues.

-- 
You are receiving this mail because:
You are the assignee for the bug.