ipfw nat drops icmp packets from localhost [patch attached]

[Oleg Strizhak]

Здравствуйте, Andrey V. Elsukov!

Вы писали 06.10.2011 13:38:

> On 06.10.2011 12:29, Oleg Strizhak wrote:
>> After an investigation I've found out a very strange situation - it seems to me, that ipfw nat drops
>> some (type 11?) icmp reply packets, whose udp request packets it hasn't rewritten/seen before, e.g:
>>
>> So, I wonder whether someone else has seen the same case under the similar circumstances? Isn't it a
>> bug within ipfw nat module and is there any work-around/patch for that? I've surely googled, but in
>> vain =( The only thing, that seems alike to my problem, is
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=129093, but the patch for 8 branch didn't cure anything =(
>
> Can you describe how you did apply and test this patch?

I beg your pardon: in my previous reply I forgot to attach my patch. 
Here it is

WBR,
Oleg
-------------- next part --------------
--- ip_fw_nat.c.orig	2010-12-21 20:09:25.000000000 +0300
+++ ip_fw_nat.c	2011-10-04 14:27:02.000000000 +0400
@@ -263,17 +263,27 @@
 	else
 		retval = LibAliasOut(t->lib, c,
 			mcl->m_len + M_TRAILINGSPACE(mcl));
-	if (retval == PKT_ALIAS_RESPOND) {
-		m->m_flags |= M_SKIP_FIREWALL;
-		retval = PKT_ALIAS_OK;
-	}
-	if (retval != PKT_ALIAS_OK &&
-	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+	/*
+	 * We drop packet when:
+	 * 1. libalias returns PKT_ALIAS_ERROR;
+	 * 2. For incoming packets:
+	 *	a) for unresolved fragments;
+	 *	b) libalias returns PKT_ALIAS_IGNORED and
+	 *	 PKT_ALIAS_DENY_INCOMING flag is set.
+	 */
+	if (retval == PKT_ALIAS_ERROR ||
+	 (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+	 (retval == PKT_ALIAS_IGNORED &&
+	 (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
 		/* XXX - should i add some logging? */
 		m_free(mcl);
 		args->m = NULL;
 		return (IP_FW_DENY);
 	}
+
+	if (retval == PKT_ALIAS_RESPOND)
+	 m->m_flags |= M_SKIP_FIREWALL;
 	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
 
 	/*