NAT (ipfw/natd) broken in latest -CURRENT

Li, Qing qing.li at bluecoat.com
Thu Dec 18 21:06:27 UTC 2008 

Hi Joe,

I have been trying to recreate your problem but my setup seem to
work. I then noticed in your original netstat output the p2p
host route installed by the tunnel interface has the "G" flag
set. This will certainly cause a routing problem because that
route is not an indirect route. I modified the kernel code to simulate
this condition and I do see the error on output, which is expected.

I assume this problem is consistently reproducible in your setup ?

-- Qing


> -----Original Message-----
> From: owner-freebsd-current at freebsd.org [mailto:owner-freebsd-
> current at freebsd.org] On Behalf Of Joe Marcus Clarke
> Sent: Tuesday, December 16, 2008 5:20 PM
> To: current
> Subject: NAT (ipfw/natd) broken in latest -CURRENT
> 
> I just upgraded my i386 -CURRENT box from November 14 to today, and
now
> my SSH-over-PPP VPN tunnel no longer works.  I did some packet
captures,
> and it appears that NAT is no longer working.  If I send a telnet
> packet
> from my client side over the PPP tunnel, I see the SYN go out on the
> server side network properly translated.  The destination host ACKs
> correctly, but the ACK never goes back across the tunnel.  It's as if
> natd is no longer translating the packet on the inbound path.  Besides
> the upgrade, nothing has changed in my environment.
> 
> My ipfw show looks like:
> 
> 00050 22974 4677637 divert 8668 ip4 from any to any via em0
> 00100   194   20696 allow ip from any to any via lo0
> 00200     0       0 deny ip from any to 127.0.0.0/8
> 00300     0       0 deny ip from 127.0.0.0/8 to any
> 65000 24714 4934785 allow ip from any to any
> 65535     5     396 deny ip from any to any
> 
> I am running natd as:
> 
> /sbin/natd -s -m -skinny_port 2000 -n em0
> 
> The ifconfig for my tunnel interface is:
> 
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1300
> 	inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00
> 	inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5
> 	Opened by PID 8018
> 
> My netstat on the server side looks like:
> 
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif
> Expire
> default            172.18.254.1       UGS         0    46685    em0
> 10.1.1.76          link#5             UGH         0     1735   tun0
> 127.0.0.1          link#3             UH          0     1171    lo0
> 172.18.254.0/24    link#1             U           0        0    em0
> 172.18.254.237/32  link#1             U           0        8    em0
> 
> The server's uname is:
> 
> FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT #130: Tue
> Dec 16 15:42:09 EST 2008
> marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC  i386
> 
> The previous, working uname was:
> 
> FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008
>     marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC
> 
> Joe
> 
> --
> Joe Marcus Clarke
> FreeBSD GNOME Team      ::      gnome at FreeBSD.org
> FreeNode / #freebsd-gnome
> http://www.FreeBSD.org/gnome

More information about the freebsd-current mailing list