>Number: 149572 >Category: kern >Synopsis: ipfw kernel nat not working properly >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 12 11:20:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Alexander Apanasenko >Release: 8.1-RELEASE >Organization: >Environment: FreeBSD gate100.bis 8.1-RELEASE FreeBSD 8.1-RELEASE #1: Tue Aug 10 11:25:07 MSD 2010 [email protected]:/usr/obj/usr/src/sys/GATE i386 >Description: After upgrade from 8.0-RELEASE to 8.1-RELEASE in IPFW kernel nat rules not working. Config nat in ipfw is: ipfw nat 1 config if fxp2 log deny_in same_ports reset rules: ... 20700 nat 1 ip from any to any via fxp2 29900 deny ip from any to any sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 1
fxp2 is external interface. In 8.0 release these rules work fine, 20700 12221 1314739 nat 1 ip from any to any via fxp2 29900 0 0 deny ip from any to any but in 8.1 all packets matched with rule 20700 not leave firewall and continue move to rule 29900 20700 0 5847 nat 1 ip from any to any via fxp2 29900 0 6023 deny ip from any to any >How-To-Repeat: On 8.1-RELEASE system with kernel ipfw options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_FORWARD options IPFIREWALL_NAT options IPDIVERT options DUMMYNET options LIBALIAS and sysctl net.inet.ip.fw.one_pass=1 do: ipfw add allow ip from any to any via int_iface ipfw add nat 1 ip from any to any via ext_iface ipfw nat 1 config if ext_iface same_ports ipfw add deny ip from any to any and you can see that all packets after aliasing on nat 1 rule go to deny rule. >Fix: >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
