From nobody@FreeBSD.org Tue Aug 31 05:35:03 2010 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21A9310656B5 for ; Tue, 31 Aug 2010 05:35:03 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 116DE8FC12 for ; Tue, 31 Aug 2010 05:35:03 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o7V5Z21o063183 for ; Tue, 31 Aug 2010 05:35:02 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o7V5Z2k9063182; Tue, 31 Aug 2010 05:35:02 GMT (envelope-from nobody) Message-Id: <201008310535.o7V5Z2k9063182@www.freebsd.org> Date: Tue, 31 Aug 2010 05:35:02 GMT From: Vladimir To: freebsd-gnats-submit@FreeBSD.org Subject: Not working kernel nat freeBSD 8.1 X-Send-Pr-Version: www-3.1 X-GNATS-Notify: >Number: 150141 >Category: kern >Synopsis: [ipfw]: Not working kernel nat freeBSD 8.1 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ipfw >State: closed >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Aug 31 05:40:01 UTC 2010 >Closed-Date: Fri Dec 10 05:31:01 UTC 2010 >Last-Modified: Fri Dec 10 05:31:01 UTC 2010 >Originator: Vladimir >Release: FreeBSD 8.1 >Organization: >Environment: FreeBSD Stancia.mydomain.local 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Wed Jul 28 22:17:06 NOVST 2010 wowan@Stancia.mydomain.local:/usr/obj/usr/src/sys/MYKERNEL i386 >Description: There are rules: 9:38 [stat]#cat /etc/ipfw.rules ###################### start ipfw rules script ###################### # Delete all rules ##################################################################### /sbin/ipfw -q -f flush #Set default cmd="/sbin/ipfw -q " ks="keep-state" pppOut="tun0" LanIn="vr1" #################################################################### # restriction allow all #################################################################### #$cmd add 00005 allow all from any to any #################################################################### # restriction on Loopback Interface #################################################################### $cmd add 00010 allow all from any to any via lo0 #################################################################### #Allow the packet through if it has previous been added to the #the "dynamic" rules table by allow keep-state statement. #################################################################### $cmd add 00025 check-state #################################################################### # Deny 127.0.0.0/8 to any and deny to 127.0.0.0/8 #################################################################### $cmd add 00020 deny all from any to 127.0.0.0/8 $cmd add 00021 deny all from 127.0.0.0/8 to any #################################################################### #Deny all inbound traffic from non-routable reserved address space #################################################################### #$cmd add 00030 deny all from any to 10.0.0.0/8 in via ${pppOut} $cmd add 00031 deny all from any to 172.16.0.0/12 in via ${pppOut} #$cmd add 00032 deny all from any to 192.168.0.0/16 in via ${pppOut} $cmd add 00033 deny all from any to 0.0.0.0/8 in via ${pppOut} $cmd add 00034 deny all from any to 169.254.0.0/16 in via ${pppOut} $cmd add 00035 deny all from any to 240.0.0.0/4 in via ${pppOut} $cmd add 00036 deny icmp from any to any frag $cmd add 00037 deny log icmp from any to 255.255.255.255 in via ${pppOut} $cmd add 00038 deny log icmp from any to 255.255.255.255 out via ${pppOut} #################################################################### # Deny all inound traffic #################################################################### #$cmd add 00040 deny all from 10.0.0.0/8 to any out via ${pppOut} $cmd add 00041 deny all from 172.16.0.0/12 to any out via ${pppOut} #$cmd add 00042 deny all from 192.168.0.0/16 to any out via ${pppOut} $cmd add 00043 deny all from 0.0.0.0/8 to any out via ${pppOut} $cmd add 00044 deny all from 169.254.0.0/16 to any out via ${pppOut} $cmd add 00045 deny all from 240.0.0.0/4i to any out via ${pppOut} #################################################################### #Allow Established connect #################################################################### #$cmd add 00050 allow tcp from any to any established ################################################################### #Allow Server Internet ################################################################### #$cmd add 00060 allow all from me to any out xmit ${pppOut} $cmd add 00060 allow all from me to any out via ${pppOut} setup ${ks} #################################################################### #Allow DNS Server #################################################################### $cmd add 00050 allow udp from any 53 to any via ${pppOut} $cmd add 00051 allow udp from any to any 53 via ${pppOut} #################################################################### #Allow NTP Server #################################################################### $cmd add 00060 allow udp from any to any 123 via ${pppOut} $cmd add 00061 allow udp from any 123 to any via ${pppOut} #################################################################### #Allow SSH Server #################################################################### $cmd add 00070 allow tcp from any to me 22 in via ${pppOut} setup limit src-addr 2 #################################################################### # Allow ICMP traffic #################################################################### $cmd add 00080 allow icmp from any to any icmptypes 0,8,11 #################################################################### # Allow traffic LAN #################################################################### $cmd add 00100 allow tcp from any to any via ${LanIn} $cmd add 00101 allow udp from any to any via ${LanIn} $cmd add 00102 allow icmp from any to any via ${LanIn} #################################################################### # NAT Kernel #################################################################### $cmd nat 1 config log if ${pppOut} reset same_ports deny_in $cmd add 00110 nat 1 ip from any to any via ${pppOut} 9:37 [stat]#ipfw show 00010 230 29972 allow ip from any to any via lo0 00020 0 0 deny ip from any to 127.0.0.0/8 00021 0 0 deny ip from 127.0.0.0/8 to any 00025 0 0 check-state 00031 0 0 deny ip from any to 172.16.0.0/12 in via tun0 00033 0 0 deny ip from any to 0.0.0.0/8 in via tun0 00034 0 0 deny ip from any to 169.254.0.0/16 in via tun0 00035 0 0 deny ip from any to 240.0.0.0/4 in via tun0 00036 0 0 deny icmp from any to any frag 00037 0 0 deny log logamount 5 icmp from any to 255.255.255.255 in via tun0 00038 0 0 deny log logamount 5 icmp from any to 255.255.255.255 out via tun0 00041 0 0 deny ip from 172.16.0.0/12 to any out via tun0 00043 0 0 deny ip from 0.0.0.0/8 to any out via tun0 00044 0 0 deny ip from 169.254.0.0/16 to any out via tun0 00045 0 0 deny ip from 240.0.0.0/4 to any out via tun0 00050 129 27348 allow udp from any 53 to any via tun0 00051 135 9816 allow udp from any to any dst-port 53 via tun0 00060 2070 920422 allow ip from me to any out via tun0 setup keep-state 00060 0 0 allow udp from any to any dst-port 123 via tun0 00061 0 0 allow udp from any 123 to any via tun0 00070 0 0 allow tcp from any to me dst-port 22 in via tun0 setup limit src-addr 2 00080 4 132 allow icmp from any to any icmptypes 0,8,11 00100 2314 925004 allow tcp from any to any via vr1 00101 62 6873 allow udp from any to any via vr1 00102 0 0 allow icmp from any to any via vr1 00110 326 16496 nat 1 ip from any to any via tun0 65535 278 13816 deny ip from any to any one_pass set :1 /etc/ppp/ppp.conf: u3g: nat enable yes set device /dev/cuaU0.0 set speed 460800 set timeout 0 set phone "*99***1#" set authname set authkey set dial "ABORT BUSY TIMEOUT 2 \ \"\" \ AT OK-AT-OK \ AT+CFUN=1 OK-AT-OK \ AT+CMEE=2 OK-AT-OK \ AT+CSQ OK \ AT+CGDCONT=1,\\\"IP\\\",\\\"internet\\\" OK \ AT+CGACT? OK-AT-OK \ AT+CGATT? OK \ AT+CGCLASS? OK \ AT+COPS? OK \ ATD*99***1# CONNECT" set vj slotcomp off set crtscts on set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR /etc/rc.conf hostname="*******" ifconfig_vr1="inet 192.168.1.1 netmask 255.255.255.0" gateway_enable="YES" ppp_enable="YES" ppp_mode="ddial" ppp_nat="YES" ppp_profile="u3g" firewall_enable="YES" firewall_script="/etc/ipfw.rules" named_enable="YES" named_program="/usr/sbin/named" named_flags=" -4 -u bind -c /etc/namedb/named.conf" ....... not working kernel nat,with these rules, it works in FreeBSD 8.0 >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-i386->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Tue Aug 31 06:13:24 UTC 2010 Responsible-Changed-Why: reassign to ipfw http://www.freebsd.org/cgi/query-pr.cgi?pr=150141 From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/150141: commit references a PR Date: Tue, 28 Sep 2010 23:23:29 +0000 (UTC) Author: luigi Date: Tue Sep 28 23:23:23 2010 New Revision: 213254 URL: http://svn.freebsd.org/changeset/base/213254 Log: fix breakage in in-kernel NAT: the code did not honor net.inet.ip.fw.one_pass and always moved to the next rule in case of a successful nat. This should fix several related PR (waiting for feedback before closing them) PR: 145167 149572 150141 MFC after: 3 days Modified: head/sys/netinet/ipfw/ip_fw_pfil.c Modified: head/sys/netinet/ipfw/ip_fw_pfil.c ============================================================================== --- head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 22:46:13 2010 (r213253) +++ head/sys/netinet/ipfw/ip_fw_pfil.c Tue Sep 28 23:23:23 2010 (r213254) @@ -231,6 +231,11 @@ again: break; case IP_FW_NAT: + /* honor one-pass in case of successful nat */ + if (V_fw_one_pass) + break; /* ret is already 0 */ + goto again; + case IP_FW_REASS: goto again; /* continue with packet */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/150141: commit references a PR Date: Fri, 10 Dec 2010 05:18:47 +0000 (UTC) Author: ae Date: Fri Dec 10 05:18:37 2010 New Revision: 216348 URL: http://svn.freebsd.org/changeset/base/216348 Log: MFC r213254 by luigi: fix breakage in in-kernel NAT: the code did not honor net.inet.ip.fw.one_pass and always moved to the next rule in case of a successful nat. This should fix several related PR (waiting for feedback before closing them) PR: 145167 149572 150141 Approved by: re (bz) Modified: stable/8/sys/netinet/ipfw/ip_fw_pfil.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) Modified: stable/8/sys/netinet/ipfw/ip_fw_pfil.c ============================================================================== --- stable/8/sys/netinet/ipfw/ip_fw_pfil.c Fri Dec 10 05:16:25 2010 (r216347) +++ stable/8/sys/netinet/ipfw/ip_fw_pfil.c Fri Dec 10 05:18:37 2010 (r216348) @@ -231,6 +231,11 @@ again: break; case IP_FW_NAT: + /* honor one-pass in case of successful nat */ + if (V_fw_one_pass) + break; /* ret is already 0 */ + goto again; + case IP_FW_REASS: goto again; /* continue with packet */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" State-Changed-From-To: open->closed State-Changed-By: ae State-Changed-When: Fri Dec 10 05:30:35 UTC 2010 State-Changed-Why: Merged to stable/8. http://www.freebsd.org/cgi/query-pr.cgi?pr=150141 >Unformatted: