Здравствуйте, Andrey V. Elsukov!
Вы писали 06.10.2011 13:38:
On 06.10.2011 12:29, Oleg Strizhak wrote:
After an investigation I've found out a very strange situation - it seems to
me, that ipfw nat drops
some (type 11?) icmp reply packets, whose udp request packets it hasn't
rewritten/seen before, e.g:
So, I wonder whether someone else has seen the same case under the similar
circumstances? Isn't it a
bug within ipfw nat module and is there any work-around/patch for that? I've
surely googled, but in
vain =( The only thing, that seems alike to my problem, is
http://www.freebsd.org/cgi/query-pr.cgi?pr=129093, but the patch for 8 branch
didn't cure anything =(
Can you describe how you did apply and test this patch?
I beg your pardon: in my previous reply I forgot to attach my patch.
Here it is
WBR,
Oleg
--- ip_fw_nat.c.orig 2010-12-21 20:09:25.000000000 +0300
+++ ip_fw_nat.c 2011-10-04 14:27:02.000000000 +0400
@@ -263,17 +263,27 @@
else
retval = LibAliasOut(t->lib, c,
mcl->m_len + M_TRAILINGSPACE(mcl));
- if (retval == PKT_ALIAS_RESPOND) {
- m->m_flags |= M_SKIP_FIREWALL;
- retval = PKT_ALIAS_OK;
- }
- if (retval != PKT_ALIAS_OK &&
- retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+ /*
+ * We drop packet when:
+ * 1. libalias returns PKT_ALIAS_ERROR;
+ * 2. For incoming packets:
+ * a) for unresolved fragments;
+ * b) libalias returns PKT_ALIAS_IGNORED and
+ * PKT_ALIAS_DENY_INCOMING flag is set.
+ */
+ if (retval == PKT_ALIAS_ERROR ||
+ (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+ (retval == PKT_ALIAS_IGNORED &&
+ (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
/* XXX - should i add some logging? */
m_free(mcl);
args->m = NULL;
return (IP_FW_DENY);
}
+
+ if (retval == PKT_ALIAS_RESPOND)
+ m->m_flags |= M_SKIP_FIREWALL;
mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
/*
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
