NAT broken in -CURRENT

Joe Marcus Clarke marcus at
Sat Dec 26 21:24:10 UTC 2009

On Sat, 2009-12-26 at 22:21 +0100, Luigi Rizzo wrote:
> On Sat, Dec 26, 2009 at 03:25:38PM -0500, Joe Marcus Clarke wrote:
> ...
> > I updated my -CURRENT box yesterday.  After a reboot, NAT no longer
> > works.  That is, if I have natd running with ipfw diverting packets to
> > it, the box is a big black hole.  No packets leave.  I do see all
> ...
> > I have a feeling the new ipfw code merged ~ 11 days ago is the cause of
> > the problem.  Thinking that perhaps the new modularity is causing this
> > problem, I also added the following two options to my kernel:
> > 
> > options	IPFIREWALL_NAT
> > options	LIBALIAS
> > 
> > They did not help.  I have not tried using a purely modular ipfw/NAT
> > combination, but I will attempt that later today.  I didn't see anything
> > obvious in UPDATING.  Any suggestions, or any recommendations for
> > specific troubleshooting data to capture?  Thanks.
> the changes were not expected to affect configuration or operation
> so clearly i must have broken something in the reinjection process.
> If you have a chance of looking at the ipfw counters (to see whether
> packets are reinjected and where they end up) that would be helpful.
> I'll try to run some tests here tomorrow or more likely on monday.

As I recall, the divert line (rule 50) had a huge counter value (even
after a reboot), but the other rule (i.e. the permit any any rule) had
very few packets.  I will gather some more concrete numbers later today.
Thanks for looking into it.


Joe Marcus Clarke
FreeBSD GNOME Team      ::      gnome at
FreeNode / #freebsd-gnome
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: This is a digitally signed message part
Url :

More information about the freebsd-current mailing list