[Bug 240400] ipnat not working some time after a lot of calls to the "map" or "rdr" rules (drop packets)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Sep 7 23:11:56 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240400

            Bug ID: 240400
           Summary: ipnat not working some time after a lot of calls to
                    the "map" or "rdr" rules (drop packets)
           Product: Base System
           Version: 11.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: dym at afalina.od.ua

#uname -a
FreeBSD test 11.2-RELEASE-p14 FreeBSD 11.2-RELEASE-p14 #0 r351966: Sat Sep  7
01:29:14 CEST 2019 GENERIC  amd64

# cat messages | grep "IP Filter"
kernel: IP Filter: v5.1.2 initialized.  Default = pass all, Logging = enabled 

# cat ipf.rules
pass in quick all
pass out quick all

# cat ipnat.rules
rdr igb0 xxx.xxx.xxx.xxx/32 port 80 -> yyy.yyy.yyy.yyy port 80
rdr igb0 xxx.xxx.xxx.xxx/32 port 443 -> yyy.yyy.yyy.yyy port 443
map igb0 xxx.xxx.xxx.xxx/32 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32 portmap tcp/udp 40000:50000
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32

xxx.xxx.xxx.xxx -- IP on WAN interface igb0
yyy.yyy.yyy.yyy -- IP on LAN machine with http service
yyy.yyy.yyy.0/24 -- LAN

Some time after a lot of calls to the map rules:
# ipfstat | egrep 'NAT failure'
158     input block reason IPv4 NAT failure
0       input block reason IPv6 NAT failure
0       output block reason IPv4 NAT failure
0       output block reason IPv6 NAT failure

Some time after a lot of calls to the rdr rules:
# ipfstat | egrep 'NAT failure'
159     input block reason IPv4 NAT failure
0       input block reason IPv6 NAT failure
267     output block reason IPv4 NAT failure
0       output block reason IPv6 NAT failure

It is present both with the GENERIC kernel and a freshly installed system, and
with a rebuilded kernel and world.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list