NAT (ipfw/natd) broken in latest -CURRENT
Li, Qing
qing.li at bluecoat.com
Fri Dec 19 02:00:38 UTC 2008
I did not notice that thread on net@, but now that you've mentioned it,
the original description appears to be very similar to what I was
observing in the NAT/VPN case. Please let me know if this patch does
the right thing for you.
--Qing
> -----Original Message-----
> From: Max Laier [mailto:max at love2party.net]
> Sent: Thursday, December 18, 2008 5:47 PM
> To: freebsd-current at freebsd.org; Denis Mysenko
> Cc: Li, Qing
> Subject: Re: NAT (ipfw/natd) broken in latest -CURRENT
>
> On Friday 19 December 2008 02:41:02 Li, Qing wrote:
> > I have checked in a fix for this issue (r186308), which turned out
to
> > be a problem in the ppp module. The ppp module updates the p2p host
> > route that was installed during the tunnel configuration, however,
> the
> > ppp code always set the RTF_GATEWAY flag. The patch has been
verified
> to
> > be working by Joe.
> >
> > Please let me know if you run into any other issue.
>
> There has been a similar report in freebsd-net@ just recently, OP
CC'ed.
> Denis, can you check if the fix quoted above fixes your problem?
>
> > Thanks,
> >
> > -- Qing
> >
> > > -----Original Message-----
> > > From: Joe Marcus Clarke [mailto:marcus at freebsd.org]
> > > Sent: Thursday, December 18, 2008 2:02 PM
> > > To: Li, Qing
> > > Cc: current
> > > Subject: RE: NAT (ipfw/natd) broken in latest -CURRENT
> > >
> > > On Thu, 2008-12-18 at 12:53 -0800, Li, Qing wrote:
> > > > Hi Joe,
> > > >
> > > > I have been trying to recreate your problem but my setup seem to
> > > > work. I then noticed in your original netstat output the p2p
> > > > host route installed by the tunnel interface has the "G" flag
> > > > set. This will certainly cause a routing problem because that
> > > > route is not an indirect route. I modified the kernel code to
> > >
> > > simulate
> > >
> > > > this condition and I do see the error on output, which is
> expected.
> > > >
> > > > I assume this problem is consistently reproducible in your setup
?
> > >
> > > Absolutely. Every time I setup the p2p tunnel with the non-proxy
> ARP
> > > address range. Traffic flows outbound, but never inbound. Your
> > > analysis sounds correct. The kernel doesn't know the interface on
> > > which
> > > to encapsulate the return traffic.
> > >
> > > Joe
> > >
> > > > -- Qing
> > > >
> > > > > -----Original Message-----
> > > > > From: owner-freebsd-current at freebsd.org [mailto:owner-freebsd-
> > > > > current at freebsd.org] On Behalf Of Joe Marcus Clarke
> > > > > Sent: Tuesday, December 16, 2008 5:20 PM
> > > > > To: current
> > > > > Subject: NAT (ipfw/natd) broken in latest -CURRENT
> > > > >
> > > > > I just upgraded my i386 -CURRENT box from November 14 to
today,
> >
> > and
> >
> > > > now
> > > >
> > > > > my SSH-over-PPP VPN tunnel no longer works. I did some packet
> > > >
> > > > captures,
> > > >
> > > > > and it appears that NAT is no longer working. If I send a
> telnet
> > > > > packet
> > > > > from my client side over the PPP tunnel, I see the SYN go out
> on
> > >
> > > the
> > >
> > > > > server side network properly translated. The destination host
> >
> > ACKs
> >
> > > > > correctly, but the ACK never goes back across the tunnel.
It's
> as
> > >
> > > if
> > >
> > > > > natd is no longer translating the packet on the inbound path.
> > >
> > > Besides
> > >
> > > > > the upgrade, nothing has changed in my environment.
> > > > >
> > > > > My ipfw show looks like:
> > > > >
> > > > > 00050 22974 4677637 divert 8668 ip4 from any to any via em0
> > > > > 00100 194 20696 allow ip from any to any via lo0
> > > > > 00200 0 0 deny ip from any to 127.0.0.0/8
> > > > > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > > > > 65000 24714 4934785 allow ip from any to any
> > > > > 65535 5 396 deny ip from any to any
> > > > >
> > > > > I am running natd as:
> > > > >
> > > > > /sbin/natd -s -m -skinny_port 2000 -n em0
> > > > >
> > > > > The ifconfig for my tunnel interface is:
> > > > >
> > > > > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0
mtu
> > >
> > > 1300
> > >
> > > > > inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00
> > > > > inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid
> 0x5
> > > > > Opened by PID 8018
> > > > >
> > > > > My netstat on the server side looks like:
> > > > >
> > > > > Internet:
> > > > > Destination Gateway Flags Refs Use
> >
> > Netif
> >
> > > > > Expire
> > > > > default 172.18.254.1 UGS 0 46685
> >
> > em0
> >
> > > > > 10.1.1.76 link#5 UGH 0 1735
> >
> > tun0
> >
> > > > > 127.0.0.1 link#3 UH 0 1171
> >
> > lo0
> >
> > > > > 172.18.254.0/24 link#1 U 0 0
> >
> > em0
> >
> > > > > 172.18.254.237/32 link#1 U 0 8
> >
> > em0
> >
> > > > > The server's uname is:
> > > > >
> > > > > FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT
> #130:
> > >
> > > Tue
> > >
> > > > > Dec 16 15:42:09 EST 2008
> > > > > marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC
> i386
> > > > >
> > > > > The previous, working uname was:
> > > > >
> > > > > FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008
> > > > >
marcus at jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC
> > > > >
> > > > > Joe
> > > > >
> > > > > --
> > > > > Joe Marcus Clarke
> > > > > FreeBSD GNOME Team :: gnome at FreeBSD.org
> > > > > FreeNode / #freebsd-gnome
> > > > > http://www.FreeBSD.org/gnome
> > >
> > > --
> > > Joe Marcus Clarke
> > > FreeBSD GNOME Team :: gnome at FreeBSD.org
> > > FreeNode / #freebsd-gnome
> > > http://www.FreeBSD.org/gnome
> >
> > _______________________________________________
> > freebsd-current at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-current
> > To unsubscribe, send any mail to "freebsd-current-
> unsubscribe at freebsd.org"
>
> --
> /"\ Best regards, | mlaier at freebsd.org
> \ / Max Laier | ICQ #67774661
> X http://pf4freebsd.love2party.net/ | mlaier at EFnet
> / \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-current
mailing list