From nobody@FreeBSD.org  Thu Aug 12 11:15:36 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 79C0A106567A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 12 Aug 2010 11:15:36 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 68F2C8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 12 Aug 2010 11:15:36 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o7CBFZ1L051077
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 12 Aug 2010 11:15:35 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o7CBFZiY051076;
	Thu, 12 Aug 2010 11:15:35 GMT
	(envelope-from nobody)
Message-Id: <201008121115.o7CBFZiY051076@www.freebsd.org>
Date: Thu, 12 Aug 2010 11:15:35 GMT
From: Alexander Apanasenko <apanasis@mail.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw kernel nat not working properly
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         149572
>Category:       kern
>Synopsis:       [ipfw] ipfw kernel nat not working properly
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 12 11:20:01 UTC 2010
>Closed-Date:    Fri Dec 10 05:29:28 UTC 2010
>Last-Modified:  Fri Dec 10 05:29:28 UTC 2010
>Originator:     Alexander Apanasenko
>Release:        8.1-RELEASE
>Organization:
>Environment:
FreeBSD gate100.bis 8.1-RELEASE FreeBSD 8.1-RELEASE #1: Tue Aug 10 11:25:07 MSD 2010     apanas@gate100.bis:/usr/obj/usr/src/sys/GATE  i386
>Description:
After upgrade from 8.0-RELEASE to 8.1-RELEASE in IPFW kernel nat rules not working. 
Config nat in ipfw is:
  ipfw nat 1 config if fxp2 log deny_in same_ports reset
rules:
  ...
  20700 nat 1 ip from any to any via fxp2
  29900 deny ip from any to any
sysctl net.inet.ip.fw.one_pass
  net.inet.ip.fw.one_pass: 1

fxp2 is external interface.

In 8.0 release these rules work fine,
  20700 12221 1314739 nat 1 ip from any to any via fxp2
  29900     0       0 deny ip from any to any
but in 8.1 all packets matched with rule 20700 not leave firewall 
and continue move to rule 29900
  20700   0 5847 nat 1 ip from any to any via fxp2
  29900   0 6023 deny ip from any to any
>How-To-Repeat:
On 8.1-RELEASE system with kernel ipfw options
 options         IPFIREWALL
 options         IPFIREWALL_VERBOSE
 options         IPFIREWALL_VERBOSE_LIMIT=100
 options         IPFIREWALL_FORWARD
 options         IPFIREWALL_NAT
 options         IPDIVERT
 options         DUMMYNET
 options         LIBALIAS
and sysctl net.inet.ip.fw.one_pass=1
do:
ipfw add allow ip from any to any via int_iface
ipfw add nat 1 ip from any to any via ext_iface
ipfw nat 1 config if ext_iface same_ports
ipfw add deny ip from any to any
and you can see that all packets after aliasing on nat 1 rule go to deny rule.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Aug 12 16:27:44 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=149572 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/149572: commit references a PR
Date: Tue, 28 Sep 2010 23:23:28 +0000 (UTC)

 Author: luigi
 Date: Tue Sep 28 23:23:23 2010
 New Revision: 213254
 URL: http://svn.freebsd.org/changeset/base/213254
 
 Log:
   fix breakage in in-kernel NAT: the code did not honor
   net.inet.ip.fw.one_pass and always moved to the next rule
   in case of a successful nat.
   
   This should fix several related PR (waiting for feedback
   before closing them)
   
   PR:		145167 149572 150141
   MFC after:	3 days
 
 Modified:
   head/sys/netinet/ipfw/ip_fw_pfil.c
 
 Modified: head/sys/netinet/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_fw_pfil.c	Tue Sep 28 22:46:13 2010	(r213253)
 +++ head/sys/netinet/ipfw/ip_fw_pfil.c	Tue Sep 28 23:23:23 2010	(r213254)
 @@ -231,6 +231,11 @@ again:
  		break;
  
  	case IP_FW_NAT:
 +		/* honor one-pass in case of successful nat */
 +		if (V_fw_one_pass)
 +			break; /* ret is already 0 */
 +		goto again;
 +
  	case IP_FW_REASS:
  		goto again;		/* continue with packet */
  	
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/149572: commit references a PR
Date: Fri, 10 Dec 2010 05:18:46 +0000 (UTC)

 Author: ae
 Date: Fri Dec 10 05:18:37 2010
 New Revision: 216348
 URL: http://svn.freebsd.org/changeset/base/216348
 
 Log:
   MFC r213254 by luigi:
      fix breakage in in-kernel NAT: the code did not honor
      net.inet.ip.fw.one_pass and always moved to the next rule
      in case of a successful nat.
   
      This should fix several related PR (waiting for feedback
      before closing them)
   
      PR:		145167 149572 150141
   
   Approved by:	re (bz)
 
 Modified:
   stable/8/sys/netinet/ipfw/ip_fw_pfil.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Fri Dec 10 05:16:25 2010	(r216347)
 +++ stable/8/sys/netinet/ipfw/ip_fw_pfil.c	Fri Dec 10 05:18:37 2010	(r216348)
 @@ -231,6 +231,11 @@ again:
  		break;
  
  	case IP_FW_NAT:
 +		/* honor one-pass in case of successful nat */
 +		if (V_fw_one_pass)
 +			break; /* ret is already 0 */
 +		goto again;
 +
  	case IP_FW_REASS:
  		goto again;		/* continue with packet */
  	
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: ae 
State-Changed-When: Fri Dec 10 05:28:02 UTC 2010 
State-Changed-Why:  
Merged to stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=149572 
>Unformatted:
