NAT (ipfw/natd) broken in latest -CURRENT

Joe Marcus Clarke marcus at FreeBSD.org
Wed Dec 17 01:19:53 UTC 2008 

I just upgraded my i386 -CURRENT box from November 14 to today, and now
my SSH-over-PPP VPN tunnel no longer works.  I did some packet captures,
and it appears that NAT is no longer working.  If I send a telnet packet
from my client side over the PPP tunnel, I see the SYN go out on the
server side network properly translated.  The destination host ACKs
correctly, but the ACK never goes back across the tunnel.  It's as if
natd is no longer translating the packet on the inbound path.  Besides
the upgrade, nothing has changed in my environment.  

My ipfw show looks like:

00050 22974 4677637 divert 8668 ip4 from any to any via em0
00100   194   20696 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
00300     0       0 deny ip from 127.0.0.0/8 to any
65000 24714 4934785 allow ip from any to any
65535     5     396 deny ip from any to any

I am running natd as:

/sbin/natd -s -m -skinny_port 2000 -n em0

The ifconfig for my tunnel interface is:

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1300
	inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00 
	inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5 
	Opened by PID 8018

My netstat on the server side looks like:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif
Expire
default            172.18.254.1       UGS         0    46685    em0
10.1.1.76          link#5             UGH         0     1735   tun0
127.0.0.1          link#3             UH          0     1171    lo0
172.18.254.0/24    link#1             U           0        0    em0
172.18.254.237/32  link#1             U           0        8    em0

The server's uname is:

FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT #130: Tue
Dec 16 15:42:09 EST 2008
marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC  i386

The previous, working uname was:

FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008
    marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC

Joe

-- 
Joe Marcus Clarke
FreeBSD GNOME Team      ::      gnome at FreeBSD.org
FreeNode / #freebsd-gnome
http://www.FreeBSD.org/gnome
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20081217/85c25f5f/attachment.pgp

More information about the freebsd-current mailing list