From nobody@FreeBSD.org  Sat Sep  4 09:35:35 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9CC5816A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  4 Sep 2004 09:35:35 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7450243D48
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  4 Sep 2004 09:35:35 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i849ZYLp068676
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 4 Sep 2004 09:35:35 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i849ZYYR068675;
	Sat, 4 Sep 2004 09:35:34 GMT
	(envelope-from nobody)
Message-Id: <200409040935.i849ZYYR068675@www.freebsd.org>
Date: Sat, 4 Sep 2004 09:35:34 GMT
From: Bokhan Artem <art@academ.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule)
X-Send-Pr-Version: www-2.3

>Number:         71366
>Category:       kern
>Synopsis:       [ipfw] "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 04 09:40:09 GMT 2004
>Closed-Date:    Wed Jun 22 04:55:55 UTC 2011
>Last-Modified:  Wed Jun 22 04:55:55 UTC 2011
>Originator:     Bokhan Artem
>Release:        4.10-STABLE
>Organization:
>Environment:
FreeBSD anchor.academ.org 4.10-STABLE FreeBSD 4.10-STABLE #0: Sat Sep  4 13:22:12 NOVST 2004     art@anchor.academ.org:/usr/obj/usr/src/sys/anchor.academ.org  i386
>Description:
I have a FreeBSD router, which forwards packets to web-accelerator (squid) using ipfw fwd.
em1 is attached to subnet where web-server and proxy server are located. The rule in firewall is "fwd proxy.host tcp from any to  web.host 80 out xmit em1". Nowhere else in firewall rule with "fwd" doesn't exist. But some packets(2-10%), which don't meet this rule, (icmp in example below), with dst ip of web.host are also forwarded to proxy.host! Look an example:
____________________
ping -c 200 81.1.226.245
____________________
tcpdump -e -i em1 -n -c 200 icmp and src host 192.168.234.7 and dst host 81.1.226.245

15:39:56.972906 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:39:57.982569 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:39:58.992741 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:00.002888 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:01.012531 0:4:23:a8:a0:75 0:2:b3:be:cc:7e 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
15:40:02.022757 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:03.032838 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request
15:40:04.042498 0:4:23:a8:a0:75 0:2:b3:be:ce:37 0800 98: 192.168.234.7 > 81.1.226.245: icmp: echo request

00:02:b3:be:ce:37 - mac of web host
00:02:b3:be:cc:7e - mac of proxy host


>How-To-Repeat:
      
>Fix:
To avoid the problem I use the same rule, but without "out xmit em1"

>Release-Note:
>Audit-Trail:

From: Artem Bokhan <art@academ.org>
To: freebsd-gnats-submit@FreeBSD.org, art@academ.org
Cc:  
Subject: Re: kern/71366: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule)
Date: Sat, 4 Sep 2004 20:09:18 +0700

 ipfw2 is used
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Sep 11 23:24:30 GMT 2004 
Responsible-Changed-Why:  
Over to mailing list. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71366 
State-Changed-From-To: open->feedback 
State-Changed-By: ae 
State-Changed-When: Wed Jun 1 12:13:05 UTC 2011 
State-Changed-Why:  
Can you still reproduce this on a supported release?  

http://www.freebsd.org/cgi/query-pr.cgi?pr=71366 
State-Changed-From-To: feedback->closed 
State-Changed-By: ae 
State-Changed-When: Wed Jun 22 04:55:36 UTC 2011 
State-Changed-Why:  
Feedback timeout. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71366 
>Unformatted:
