ipfw and netgraph confusion

Julian Elischer julian at elischer.org
Sat Nov 17 23:13:23 PST 2007 

Christopher Cowart wrote:
> Hello,
> 
> I'm trying to use the ng_nat node on 6.2.
> 
> I have one set of IP -> ng cookie mappings in tables and a single
> default mapping for anything that doesn't match the tables.
> 
> The first case, using tables, is the "Authenticated" case:
> | /sbin/ipfw add netgraph tablearg all from "table(4)" to any in via \
> |   vlan88
> | 01040 netgraph tablearg ip from table(4) to any in via vlan88
> | /sbin/ipfw add netgraph tablearg all from any to "table(3)" in via \
> |   vlan665
> | 01060 netgraph tablearg ip from any to table(3) in via vlan665
> | /sbin/ipfw table 4 list
> | 10.8.62.255/32 200065132
> | /sbin/ipfw table 3 list
> | 169.229.65.132/32 100065132
> 
> This case works great. I inserted some count log rules an see that the
> src and dst IP addresses are being altered as I would expect.
> 
> When I fall back to the default case for "Unauthenticated" users:
> | /sbin/ipfw add netgraph 100079145 all from 10.8.0.0/18 to any in \
> |     via vlan88
> | 01230 netgraph 5673 ip from 10.8.0.0/18 to any in via vlan88 
> | /sbin/ipfw add netgraph 200079145 all from any to 169.229.79.145
> | 01240 netgraph 63273 ip from any to 169.229.79.145
> 
> Notice the netgraph cookies here are 100079145 and 200079145. These are
> the same values I used with ng_ctl. The resulting ipfw rules say the
> cookies are 5673 and 63273. After matching the netgraph rules in this
> case, the src and dst IP addresses are logged unchanged. This leads me 
> to believe ipfw sent them to non-existant nodes. The behavior I'm
> witnessing indicates that indeed, these packets have not been NATed.
> 
> Troubleshooting a bit, I noticed that if I change the constant numbers
> to 10 and 20, things work exactly as expected. I'm going to venture a
> guess that when a netgraph cookie is parsed on the commandline, it's
> interpreted as a 16-bit int, but when you're using tableargs, 32-bit
> ints work. This inconsistent behavior is a bit confusing (and led me to
> a couple hours of frustrated debugging). Anyone else aware of this
> problem? Should I file a PR?
> 

I'm not sure about netgraph cookies. but  a lot of the cookies in ipfw are 16 bits.

e.g. divert cookies.

I don't know much about the ipfw netgraph command as I've never used it..



> Thanks,
>

More information about the freebsd-net mailing list