NAT broken in -CURRENT
Joe Marcus Clarke
marcus at FreeBSD.org
Sun Dec 27 19:47:33 UTC 2009
On Sat, 2009-12-26 at 23:24 +0100, Luigi Rizzo wrote:
> On Sat, Dec 26, 2009 at 05:06:48PM -0500, Joe Marcus Clarke wrote:
> >
> >
> > PGP Key : http://www.marcuscom.com/pgp.asc
> >
> > On Sat, 26 Dec 2009, Luigi Rizzo wrote:
> >
> > >On Sat, Dec 26, 2009 at 03:25:38PM -0500, Joe Marcus Clarke wrote:
> > >...
> > >>I updated my -CURRENT box yesterday. After a reboot, NAT no longer
> > >>works. That is, if I have natd running with ipfw diverting packets to
> > >>it, the box is a big black hole. No packets leave. I do see all
> > >...
> > >>I have a feeling the new ipfw code merged ~ 11 days ago is the cause of
> > >>the problem. Thinking that perhaps the new modularity is causing this
> > >>problem, I also added the following two options to my kernel:
> > >>
> > >>options IPFIREWALL_NAT
> > >>options LIBALIAS
> > >>
> > >>They did not help. I have not tried using a purely modular ipfw/NAT
> > >>combination, but I will attempt that later today. I didn't see anything
> > >>obvious in UPDATING. Any suggestions, or any recommendations for
> > >>specific troubleshooting data to capture? Thanks.
> > >
> > >the changes were not expected to affect configuration or operation
> > >so clearly i must have broken something in the reinjection process.
> > >If you have a chance of looking at the ipfw counters (to see whether
> > >packets are reinjected and where they end up) that would be helpful.
> > >I'll try to run some tests here tomorrow or more likely on monday.
> >
> > The packets appear to be looping to the divert socket. The ipfw counters
> > show the divert rule is growing exponentially where as the other rules
> > have virtually no packet matches. This is just after a few seconds of
> > uptime:
>
> ok then try this change in netinet/ipfw/ip_fw2.c near line 1176
>
> IPFW_RUNLOCK(chain);
> return (IP_FW_DENY); /* invalid */
> }
> - f_pos = ipfw_find_rule(chain, skipto, 0);
> + f_pos = ipfw_find_rule(chain, skipto+1, 0);
> }
> }
>
> Let me know if it works so i can commit it.
I was just able to test this, and it works. I see you committed it
already. Thanks for your quick response.
Joe
--
Joe Marcus Clarke
FreeBSD GNOME Team :: gnome at FreeBSD.org
FreeNode / #freebsd-gnome
http://www.FreeBSD.org/gnome
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20091227/f2746ed3/attachment.pgp
More information about the freebsd-current
mailing list