From nobody@FreeBSD.org  Mon Mar 29 12:55:10 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5F3251065676
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 29 Mar 2010 12:55:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 72BD88FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 29 Mar 2010 12:55:09 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o2TCsx0p051012
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 29 Mar 2010 12:54:59 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o2TCsx2V051011;
	Mon, 29 Mar 2010 12:54:59 GMT
	(envelope-from nobody)
Message-Id: <201003291254.o2TCsx2V051011@www.freebsd.org>
Date: Mon, 29 Mar 2010 12:54:59 GMT
From: Dmitry <d_kazarov@mcm.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw nat does not follow its documentation
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         145167
>Category:       kern
>Synopsis:       [ipfw] ipfw nat does not follow its documentation
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 29 13:00:12 UTC 2010
>Closed-Date:    Fri Dec 10 05:26:56 UTC 2010
>Last-Modified:  Fri Dec 10 05:26:56 UTC 2010
>Originator:     Dmitry
>Release:        8.0-STABLE
>Organization:
Telekom Servis T
>Environment:
FreeBSD mail.mcm.ru 8.0-STABLE FreeBSD 8.0-STABLE #0: Thu Mar 25 10:43:17 MSK 2010     root@kazarov.mcm.ru:/var/tmp/obj/usr/src/sys/MCM  i386
>Description:
man ipfw says "To let the packet continue after being (de)aliased, set the sysctl variable net.inet.ip.fw.one_pass to 0." 
But on my system
~[550]# sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 1
and testing ipfw rules with ipfwpcap showed that packets continue after nat
# ipfw show | fgrep 10007
00050 173098  71536791 allow ip from any to any tagged 10001,10003,10004,10005,10007
30200    310    185892 nat 7 tag 10007 ip from 192.168.15.0/24{232-234} to any out xmit vlan0
30201    310    185892 allow ip from any to any tagged 10007

Also, please solve kern/143653 (http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/143653) - it's really annoying
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Mar 29 19:57:57 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145167 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/145167: commit references a PR
Date: Tue, 28 Sep 2010 23:23:28 +0000 (UTC)

 Author: luigi
 Date: Tue Sep 28 23:23:23 2010
 New Revision: 213254
 URL: http://svn.freebsd.org/changeset/base/213254
 
 Log:
   fix breakage in in-kernel NAT: the code did not honor
   net.inet.ip.fw.one_pass and always moved to the next rule
   in case of a successful nat.
   
   This should fix several related PR (waiting for feedback
   before closing them)
   
   PR:		145167 149572 150141
   MFC after:	3 days
 
 Modified:
   head/sys/netinet/ipfw/ip_fw_pfil.c
 
 Modified: head/sys/netinet/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_fw_pfil.c	Tue Sep 28 22:46:13 2010	(r213253)
 +++ head/sys/netinet/ipfw/ip_fw_pfil.c	Tue Sep 28 23:23:23 2010	(r213254)
 @@ -231,6 +231,11 @@ again:
  		break;
  
  	case IP_FW_NAT:
 +		/* honor one-pass in case of successful nat */
 +		if (V_fw_one_pass)
 +			break; /* ret is already 0 */
 +		goto again;
 +
  	case IP_FW_REASS:
  		goto again;		/* continue with packet */
  	
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/145167: commit references a PR
Date: Fri, 10 Dec 2010 05:18:46 +0000 (UTC)

 Author: ae
 Date: Fri Dec 10 05:18:37 2010
 New Revision: 216348
 URL: http://svn.freebsd.org/changeset/base/216348
 
 Log:
   MFC r213254 by luigi:
      fix breakage in in-kernel NAT: the code did not honor
      net.inet.ip.fw.one_pass and always moved to the next rule
      in case of a successful nat.
   
      This should fix several related PR (waiting for feedback
      before closing them)
   
      PR:		145167 149572 150141
   
   Approved by:	re (bz)
 
 Modified:
   stable/8/sys/netinet/ipfw/ip_fw_pfil.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Fri Dec 10 05:16:25 2010	(r216347)
 +++ stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Fri Dec 10 05:18:37 2010	(r216348)
 @@ -231,6 +231,11 @@ again:
  		break;
  
  	case IP_FW_NAT:
 +		/* honor one-pass in case of successful nat */
 +		if (V_fw_one_pass)
 +			break; /* ret is already 0 */
 +		goto again;
 +
  	case IP_FW_REASS:
  		goto again;		/* continue with packet */
  	
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: ae 
State-Changed-When: Fri Dec 10 05:26:02 UTC 2010 
State-Changed-Why:  
Merged to stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145167 
>Unformatted:
