From nobody@FreeBSD.org  Sun Nov 23 16:35:16 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2BFEC1065674
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Nov 2008 16:35:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 1F08C8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Nov 2008 16:35:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id mANGZFhg090020
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Nov 2008 16:35:15 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id mANGZFZV090019;
	Sun, 23 Nov 2008 16:35:15 GMT
	(envelope-from nobody)
Message-Id: <200811231635.mANGZFZV090019@www.freebsd.org>
Date: Sun, 23 Nov 2008 16:35:15 GMT
From: Eugen Konkov <kes-kes@yandex.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw nat must not drop packets
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         129093
>Category:       kern
>Synopsis:       [ipfw] ipfw nat must not drop packets
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 23 16:40:05 UTC 2008
>Closed-Date:    Thu Jul 07 09:43:51 UTC 2011
>Last-Modified:  Tue Dec 20 18:40:13 UTC 2011
>Originator:     Eugen Konkov
>Release:        7.1-PRERELEASE
>Organization:
ISP Konkov
>Environment:
home# uname -a
FreeBSD home.kes.net.ua 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #: Sun Nov 23 17:19:12 EET 2008     kes@home.kes.net.ua:/usr/obj/usr/src/sys/KES_KERN_v7  i386

>Description:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            195.5.5.209        UGS         0     3124    ng0
...

When I ping world from LAN all is good, but when I ping world from router I get next picture:

Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:53 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:53 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:53 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:54 home kernel: ipfw: 5 Count ICMP:8.0 91.124.239.145 195.5.5.209 out via ng0
Nov 23 18:09:54 home kernel: ipfw: 1 Count ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0
Nov 23 18:09:54 home kernel: ipfw: 3 Nat ICMP:0.0 195.5.5.209 91.124.239.145 in via ng0

It seems packet is droped by NAT. Because of there is no info about outgoing packet and when incoming packet fall into NAT it was droped =(
>How-To-Repeat:
ipfw nat 1 config if ng0 log
01 count log icmp from any to any via ng0
02 nat 1 log ip from 192.168.0.0/16 to any out xmit ng0 #put only packets from LAN
03 nat 1 log ip from any to any in recv ng0
05 count log icmp from any to any via ng0
06 allow ip from any to any

>Fix:
So I need to put packets to NAT even for local generated packets
Work around:
ipfw nat 1 config if ng0 log
00001 count log icmp from any to any via ng0
00002 nat 1 log ip from any to any out xmit ng0 #put to nat packets from me too
00003 nat 1 log ip from any to any in recv ng0
00005 count log icmp from any to any via ng0
00006 allow all from any to any

HOW TO FIX:
Leave packet untouched when NAT do not know how to deel with it.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Nov 23 18:02:44 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129093 
State-Changed-From-To: open->feedback 
State-Changed-By: ae 
State-Changed-When: Mon Jun 6 06:57:40 UTC 2011 
State-Changed-Why:  
This seems to be a duplicate of kern/157379. 
Can you confirm that proposed patch fixes this issue? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129093 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/129093: commit references a PR
Date: Tue,  7 Jun 2011 06:42:39 +0000 (UTC)

 Author: ae
 Date: Tue Jun  7 06:42:29 2011
 New Revision: 222806
 URL: http://svn.freebsd.org/changeset/base/222806
 
 Log:
   Make a behaviour of the libalias based in-kernel NAT a bit closer to
   how natd(8) does work. natd(8) drops packets only when libalias returns
   PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
   always did drop packets that were not aliased, even if they should
   not be aliased and just are going through.
   
   PR:		kern/122109, kern/129093, kern/157379
   Submitted by:	Alexander V. Chernikov (previous version)
   MFC after:	1 month
 
 Modified:
   head/sys/netinet/ipfw/ip_fw_nat.c
 
 Modified: head/sys/netinet/ipfw/ip_fw_nat.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_fw_nat.c	Tue Jun  7 06:18:02 2011	(r222805)
 +++ head/sys/netinet/ipfw/ip_fw_nat.c	Tue Jun  7 06:42:29 2011	(r222806)
 @@ -262,17 +262,27 @@ ipfw_nat(struct ip_fw_args *args, struct
  	else
  		retval = LibAliasOut(t->lib, c,
  			mcl->m_len + M_TRAILINGSPACE(mcl));
 -	if (retval == PKT_ALIAS_RESPOND) {
 -		m->m_flags |= M_SKIP_FIREWALL;
 -		retval = PKT_ALIAS_OK;
 -	}
 -	if (retval != PKT_ALIAS_OK &&
 -	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +
 +	/*
 +	 * We drop packet when:
 +	 * 1. libalias returns PKT_ALIAS_ERROR;
 +	 * 2. For incoming packets:
 +	 *	a) for unresolved fragments;
 +	 *	b) libalias returns PKT_ALIAS_IGNORED and
 +	 *		PKT_ALIAS_DENY_INCOMING flag is set.
 +	 */
 +	if (retval == PKT_ALIAS_ERROR ||
 +	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +	    (retval == PKT_ALIAS_IGNORED &&
 +	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
  		/* XXX - should i add some logging? */
  		m_free(mcl);
  		args->m = NULL;
  		return (IP_FW_DENY);
  	}
 +
 +	if (retval == PKT_ALIAS_RESPOND)
 +		m->m_flags |= M_SKIP_FIREWALL;
  	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
  
  	/*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->patched 
State-Changed-By: ae 
State-Changed-When: Tue Jun 7 06:54:30 UTC 2011 
State-Changed-Why:  
Patched in head/. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129093 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/129093: commit references a PR
Date: Thu,  7 Jul 2011 09:29:25 +0000 (UTC)

 Author: ae
 Date: Thu Jul  7 09:29:11 2011
 New Revision: 223835
 URL: http://svn.freebsd.org/changeset/base/223835
 
 Log:
   MFC r222806:
     Make a behaviour of the libalias based in-kernel NAT a bit closer to
     how natd(8) does work. natd(8) drops packets only when libalias returns
     PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
     always did drop packets that were not aliased, even if they should
     not be aliased and just are going through.
   
     PR:		kern/122109, kern/129093, kern/157379
     Submitted by:	Alexander V. Chernikov (previous version)
 
 Modified:
   stable/8/sys/netinet/ipfw/ip_fw_nat.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/ipfw/ip_fw_nat.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_fw_nat.c	Thu Jul  7 08:33:58 2011	(r223834)
 +++ stable/8/sys/netinet/ipfw/ip_fw_nat.c	Thu Jul  7 09:29:11 2011	(r223835)
 @@ -263,17 +263,27 @@ ipfw_nat(struct ip_fw_args *args, struct
  	else
  		retval = LibAliasOut(t->lib, c,
  			mcl->m_len + M_TRAILINGSPACE(mcl));
 -	if (retval == PKT_ALIAS_RESPOND) {
 -		m->m_flags |= M_SKIP_FIREWALL;
 -		retval = PKT_ALIAS_OK;
 -	}
 -	if (retval != PKT_ALIAS_OK &&
 -	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +
 +	/*
 +	 * We drop packet when:
 +	 * 1. libalias returns PKT_ALIAS_ERROR;
 +	 * 2. For incoming packets:
 +	 *	a) for unresolved fragments;
 +	 *	b) libalias returns PKT_ALIAS_IGNORED and
 +	 *		PKT_ALIAS_DENY_INCOMING flag is set.
 +	 */
 +	if (retval == PKT_ALIAS_ERROR ||
 +	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +	    (retval == PKT_ALIAS_IGNORED &&
 +	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
  		/* XXX - should i add some logging? */
  		m_free(mcl);
  		args->m = NULL;
  		return (IP_FW_DENY);
  	}
 +
 +	if (retval == PKT_ALIAS_RESPOND)
 +		m->m_flags |= M_SKIP_FIREWALL;
  	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
  
  	/*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Thu Jul 7 09:43:23 UTC 2011 
State-Changed-Why:  
Merged to stable/7 and stable/8. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129093 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/129093: commit references a PR
Date: Thu,  7 Jul 2011 09:42:50 +0000 (UTC)

 Author: ae
 Date: Thu Jul  7 09:42:32 2011
 New Revision: 223837
 URL: http://svn.freebsd.org/changeset/base/223837
 
 Log:
   MFC r222806:
     Make a behaviour of the libalias based in-kernel NAT a bit closer to
     how natd(8) does work. natd(8) drops packets only when libalias returns
     PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
     always did drop packets that were not aliased, even if they should
     not be aliased and just are going through.
   
     PR:		kern/122109, kern/129093, kern/157379
     Submitted by:	Alexander V. Chernikov (previous version)
 
 Modified:
   stable/7/sys/netinet/ip_fw_nat.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netinet/ip_fw_nat.c
 ==============================================================================
 --- stable/7/sys/netinet/ip_fw_nat.c	Thu Jul  7 09:32:43 2011	(r223836)
 +++ stable/7/sys/netinet/ip_fw_nat.c	Thu Jul  7 09:42:32 2011	(r223837)
 @@ -322,8 +322,18 @@ ipfw_nat(struct ip_fw_args *args, struct
  	else
  		retval = LibAliasOut(t->lib, c, 
  			mcl->m_len + M_TRAILINGSPACE(mcl));
 -	if (retval != PKT_ALIAS_OK &&
 -	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +	/*
 +	 * We drop packet when:
 +	 * 1. libalias returns PKT_ALIAS_ERROR;
 +	 * 2. For incoming packets:
 +	 *	a) for unresolved fragments;
 +	 *	b) libalias returns PKT_ALIAS_IGNORED and
 +	 *		PKT_ALIAS_DENY_INCOMING flag is set.
 +	 */
 +	if (retval == PKT_ALIAS_ERROR ||
 +	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +	    (retval == PKT_ALIAS_IGNORED &&
 +	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
  		/* XXX - should i add some logging? */
  		m_free(mcl);
  	badnat:
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= <kes-kes@yandex.ru>
To: bug-followup@FreeBSD.org, kes-kes@yandex.ru
Cc:  
Subject: Re: kern/129093: [ipfw] ipfw nat must not drop packets
Date: Tue, 20 Dec 2011 20:38:52 +0200

 seems work on latest FreeBSD versions (9 and 10)
 
>Unformatted:
