NAT broken in -CURRENT
Joe Marcus Clarke
marcus at FreeBSD.org
Sat Dec 26 21:24:10 UTC 2009
On Sat, 2009-12-26 at 22:21 +0100, Luigi Rizzo wrote:
> On Sat, Dec 26, 2009 at 03:25:38PM -0500, Joe Marcus Clarke wrote:
> > I updated my -CURRENT box yesterday. After a reboot, NAT no longer
> > works. That is, if I have natd running with ipfw diverting packets to
> > it, the box is a big black hole. No packets leave. I do see all
> > I have a feeling the new ipfw code merged ~ 11 days ago is the cause of
> > the problem. Thinking that perhaps the new modularity is causing this
> > problem, I also added the following two options to my kernel:
> > options IPFIREWALL_NAT
> > options LIBALIAS
> > They did not help. I have not tried using a purely modular ipfw/NAT
> > combination, but I will attempt that later today. I didn't see anything
> > obvious in UPDATING. Any suggestions, or any recommendations for
> > specific troubleshooting data to capture? Thanks.
> the changes were not expected to affect configuration or operation
> so clearly i must have broken something in the reinjection process.
> If you have a chance of looking at the ipfw counters (to see whether
> packets are reinjected and where they end up) that would be helpful.
> I'll try to run some tests here tomorrow or more likely on monday.
As I recall, the divert line (rule 50) had a huge counter value (even
after a reboot), but the other rule (i.e. the permit any any rule) had
very few packets. I will gather some more concrete numbers later today.
Thanks for looking into it.
Joe Marcus Clarke
FreeBSD GNOME Team :: gnome at FreeBSD.org
FreeNode / #freebsd-gnome
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 196 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20091226/0483f20c/attachment.pgp
More information about the freebsd-current