NAT (ipfw/natd) broken in latest -CURRENT
Li, Qing
qing.li at bluecoat.com
Thu Dec 18 21:06:27 UTC 2008
Hi Joe,
I have been trying to recreate your problem but my setup seem to
work. I then noticed in your original netstat output the p2p
host route installed by the tunnel interface has the "G" flag
set. This will certainly cause a routing problem because that
route is not an indirect route. I modified the kernel code to simulate
this condition and I do see the error on output, which is expected.
I assume this problem is consistently reproducible in your setup ?
-- Qing
> -----Original Message-----
> From: owner-freebsd-current at freebsd.org [mailto:owner-freebsd-
> current at freebsd.org] On Behalf Of Joe Marcus Clarke
> Sent: Tuesday, December 16, 2008 5:20 PM
> To: current
> Subject: NAT (ipfw/natd) broken in latest -CURRENT
>
> I just upgraded my i386 -CURRENT box from November 14 to today, and
now
> my SSH-over-PPP VPN tunnel no longer works. I did some packet
captures,
> and it appears that NAT is no longer working. If I send a telnet
> packet
> from my client side over the PPP tunnel, I see the SYN go out on the
> server side network properly translated. The destination host ACKs
> correctly, but the ACK never goes back across the tunnel. It's as if
> natd is no longer translating the packet on the inbound path. Besides
> the upgrade, nothing has changed in my environment.
>
> My ipfw show looks like:
>
> 00050 22974 4677637 divert 8668 ip4 from any to any via em0
> 00100 194 20696 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 65000 24714 4934785 allow ip from any to any
> 65535 5 396 deny ip from any to any
>
> I am running natd as:
>
> /sbin/natd -s -m -skinny_port 2000 -n em0
>
> The ifconfig for my tunnel interface is:
>
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1300
> inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00
> inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5
> Opened by PID 8018
>
> My netstat on the server side looks like:
>
> Internet:
> Destination Gateway Flags Refs Use Netif
> Expire
> default 172.18.254.1 UGS 0 46685 em0
> 10.1.1.76 link#5 UGH 0 1735 tun0
> 127.0.0.1 link#3 UH 0 1171 lo0
> 172.18.254.0/24 link#1 U 0 0 em0
> 172.18.254.237/32 link#1 U 0 8 em0
>
> The server's uname is:
>
> FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT #130: Tue
> Dec 16 15:42:09 EST 2008
> marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC i386
>
> The previous, working uname was:
>
> FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008
> marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC
>
> Joe
>
> --
> Joe Marcus Clarke
> FreeBSD GNOME Team :: gnome at FreeBSD.org
> FreeNode / #freebsd-gnome
> http://www.FreeBSD.org/gnome
More information about the freebsd-current
mailing list