From nobody@FreeBSD.org  Fri Jan  6 21:07:41 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4BBF1106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Jan 2012 21:07:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 1FF818FC16
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Jan 2012 21:07:41 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q06L7emm064032
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 6 Jan 2012 21:07:40 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q06L7epp064031;
	Fri, 6 Jan 2012 21:07:40 GMT
	(envelope-from nobody)
Message-Id: <201201062107.q06L7epp064031@red.freebsd.org>
Date: Fri, 6 Jan 2012 21:07:40 GMT
From: Greg Radzykewycz <fbsdpr@inlandnet.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw fwd does not work with 'via interface' in rule body
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         163873
>Category:       kern
>Synopsis:       [ipfw] ipfw fwd does not work with 'via interface' in rule body
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 06 21:10:09 UTC 2012
>Closed-Date:    Sat Jan 05 21:35:41 UTC 2013
>Last-Modified:  Sat Jan 05 21:35:41 UTC 2013
>Originator:     Greg Radzykewycz
>Release:        8.2-RELEASE
>Organization:
Inland Networks
>Environment:
FreeBSD pandora.inlandnet.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Wed Dec 21 09:06:00 PST 2011    root@pandora.inlandnet.com:/usr/src/sys/i386/compile/PANDORA  i386
>Description:
This PR may be related to the following PRs.
kern/129036
kern/122963

In upgrading a firewall from FreeBSD 4.11 to 8.2 there was a problem with the firewall not forwarding DNS queries to a DNS proxy server running on another box. The firewall rules were identical between 4.11 and 8.2. Sample rule follows.

${fwcmd} add fwd ${dnsproxy} udp from any to ${atldns1} domain in via ${iif1}

While this worked on 4.11, it did not on 8.2.

After a Google search turned up nothing pertinent, testing different variations of the firewall rule was done. The box was taken out of service and reconfigured for testing. Testing was done with TCP for simplicity.

The following worked.
ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53

With tcpdump running on 192.168.0.10, packets to 10.10.10.10 TCP port 53 were seen when the command "telnet 10.10.10.10 53" was run on the firewall box.

The following did not work.
ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53 via em0

Interface em0 was the only interface connected and configured at the time and also was the default route (192.168.0.1). Any external IP traffic would pass through em0 regardless. Doing the same test with tcpdump running on 192.168.0.10, packets to 10.10.10.10 TCP port 53 were not seen on 192.168.0.10 when the command "telnet 10.10.10.10 53" was run on the firewall box.

The firewall box was reconfigured for production use. The firewall rules associated with proxying DNS requess were all changed to remove 'in via ${iif}' and the box was put back in service. Without the 'in via' in the rules, it functioned as expected proxying the DNS queries.
>How-To-Repeat:
See description. The problem was consistent and repeatable.
>Fix:
Unknown.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Jan 6 21:18:47 UTC 2012 
Responsible-Changed-Why:  

Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=163873 

From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= <kes-kes@yandex.ru>
To: Greg Radzykewycz <fbsdpr@inlandnet.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/163873: ipfw fwd does not work with 'via interface' in rule body
Date: Fri, 6 Jan 2012 23:25:27 +0200

 , Greg.
 
   6  2012 ., 23:07:40:
 
 GR> ${fwcmd} add fwd ${dnsproxy} udp from any to ${atldns1} domain in via ${iif1}
 try to add before your rule this one:
  ${fwcmd} add log fwd ${dnsproxy} udp from any to ${atldns1} domain
 
 and see /var/log/security to obtain how kernel see that packet
 
 Also notice that when you receive 'via rl0' and you try to fwd to
 address that is reachable on rl3 the packet will have state 'out xmit rl3'
 and not 'via rl0', as you expect, maybe.
 
 -- 
  ,
                            mailto:kes-kes@yandex.ru
 

From: Greg Radzykewycz <sysmgr@inlandnet.com>
To: =?windows-1251?b?yu7t/Oru4iDF4uPl7ejp?= <kes-kes@yandex.ru>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/163873: ipfw fwd does not work with 'via interface' in rule body
Date: Sat, 7 Jan 2012 11:35:27 -0800

 Greetings =CA=EE=ED=FC=EA=EE=E2,
 
 Thank you for looking into this and your response. If you will note though =
 and=20
 even with traffic originated locally and only a single functioning interfac=
 e,=20
 forwarding fails to occur when the ipfw rule contains "via interface".
 
 According to the ipfw man page.
 
 fwd | forward ipaddr | tablearg[,port]
   Change the next-hop on matching packets to ipaddr ...
   If ipaddr is not a local address, then the port number (if specifed) is=20
 ignored, and the packet will be forwarded to the remote address, using the=
 =20
 route as found in the local routing table for that IP.
 
 In the testing that was done where there was only one active interface, em0=
 ,=20
 when "via em0" was added to the ipfw rule, forwarding failed. Without "via=
 =20
 em0" in the rule, forwarding worked. That was the only difference.
 
 Perhaps it is important to note that in both the production and test=20
 evnironments the IP address that was being forwarded to was on a local=20
 Ethernet network. In the test environment, the firewall's IP address=20
 (192.168.0.34), the default route (192.168.0.1) and the forward IP address=
 =20
 (192.168.0.10) were on the same em0 interface and in the same /24 network.
 
 I hope this help. And thanks again!
 =2D-=20
 Warmest Regards
 Greg Radzykewycz
 Manager of Information Systems
 Inland Cellular / Inland Networks

From: Sergey Matveychuk <sem@FreeBSD.org>
To: bug-followup@FreeBSD.org, fbsdpr@inlandnet.com
Cc:  
Subject: Re: kern/163873: [ipfw] ipfw fwd does not work with &#39;via interface&#39;
 in rule body
Date: Mon, 27 Feb 2012 16:58:41 +0400

 It should be fixed in 9.0 and 8.3 (8-stable). Could you test on one of them?
State-Changed-From-To: open->feedback 
State-Changed-By: sem 
State-Changed-When: Mon Feb 27 13:12:03 UTC 2012 
State-Changed-Why:  
Can't reproduce on both 9.0 and 8.3. Please test on them. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=163873 

From: Greg Radzykewycz <sysmgr@inlandnet.com>
To: Sergey Matveychuk <sem@freebsd.org>
Cc: bug-followup@freebsd.org, fbsdpr@inlandnet.com
Subject: Re: kern/163873: [ipfw] ipfw fwd does not work with &#39;via interface&#39; in rule body
Date: Tue, 28 Feb 2012 12:15:25 -0800

 On Monday 27 February 2012 04:58:41 Sergey Matveychuk wrote:
 > It should be fixed in 9.0 and 8.3 (8-stable). Could you test on one of them?
 > 
 > 
 
 Installed 9.0 on a different test box, tested it and it worked fine. To make sure it wasn't a difference with the box, I installed 8.2 and it also worked fine with or without 'via interface' in the ipfw rule. Darn! Perhaps this is related to the ethernet device (fxp on this test box versus em on the other) or the CPU (667 MHz P-III versus 1.6 Ghz Intel Atom E6xx series).
 
 Unfortunately I can not take the other box out of service and I don't have another one currently to test with. And I don't know when I will be able to acquire another box from this vendor to investigate any further. Might as well close out this bug report as it does not appear to be a generalized problem and may be hardware or vendor specific.
 -- 
 Warmest Regards
 Greg Radzykewycz
 Manager of Information Systems
 Inland Cellular / Inland Networks
 Phone: (509) 229-3190
State-Changed-From-To: feedback->closed 
State-Changed-By: ae 
State-Changed-When: Sat Jan 5 21:34:02 UTC 2013 
State-Changed-Why:  
Close per submitter request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=163873 
>Unformatted:
