From nobody@FreeBSD.org  Thu Sep 30 18:47:26 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8317D16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 18:47:26 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7663E43D49
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 18:47:26 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i8UIlQrr060570
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 18:47:26 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i8UIlQSp060569;
	Thu, 30 Sep 2004 18:47:26 GMT
	(envelope-from nobody)
Message-Id: <200409301847.i8UIlQSp060569@www.freebsd.org>
Date: Thu, 30 Sep 2004 18:47:26 GMT
From: Remy de Ruysscher <remy@unix-asp.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipnat problem  with IP Fastforward enabled
X-Send-Pr-Version: www-2.3

>Number:         72210
>Category:       kern
>Synopsis:       [ipfilter] ipnat problem  with IP Fastforward enabled
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 30 18:50:11 GMT 2004
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:16:43 UTC 2013
>Originator:     Remy de Ruysscher
>Release:        FreeBSD 5.3-BETA6
>Organization:
>Environment:
FreeBSD defiant.unix-asp.com 5.3-BETA6 FreeBSD 5.3-BETA6 #5: Mon Sep 27 01:04:37 CEST 2004     root@defiant.unix-asp.com:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
ipnat is not working correctly after enabling IP Fastforward. 
ipmon shows NAT:MAP and NAT:RDR connections but don't seem to work on clients pc's.

I couldn't find any solutions at the usual places. Andre Opperman suggested I created this PR.
>How-To-Repeat:
Enable IP fastforward. sysctl net.inet.ip.fastforwarding=1 
>Fix:
Disable IP fastforward. sysctl net.inet.ip.fastforwarding=0
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->andre 
Responsible-Changed-By: andre 
Responsible-Changed-When: Thu Sep 30 21:26:52 GMT 2004 
Responsible-Changed-Why:  
Take over. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72210 

From: Andre Oppermann <andre@freebsd.org>
To: freebsd-gnats-submit@FreeBSD.org, remy@unix-asp.com
Cc:  
Subject: Re: kern/72210: ipnat problem  with IP Fastforward enabled
Date: Thu, 14 Oct 2004 22:03:30 +0200

 This is a very stange problem.  Everything works fine with ipfw and pf/nat
 but not with ipfilter/ipnat.  I'm a little bit at loss why ipnat breaks
 when doing fastforwarding.  Need to check with Darren.
 
 -- 
 Andre
 

From: Sergey Svishchev <svs@ropnet.ru>
To: bug-followup@FreeBSD.org, remy@unix-asp.com
Cc:  
Subject: Re: kern/72210
Date: Fri, 17 Aug 2007 21:43:22 +0400

 Do you see any outgoing (NAT'd) traffic?
 
 -- 
 Sergey Svishchev

From: "Remy de Ruysscher" <remy@unix-asp.com>
To: "'Sergey Svishchev'" <svs@ropnet.ru>,
	<bug-followup@FreeBSD.org>
Cc:  
Subject: RE: kern/72210
Date: Fri, 17 Aug 2007 21:09:29 +0200

 Hi,
 
 I submitted this bug 3 years ago! And it's still not working.
 
 I see outgoing packets but nothings gets through (timeouts):
 
 17/08/2007 21:08:05.693252 STATE:CLOSE 83.98.233.137,50027 ->
 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out
 800 Backward: Pkts in 4 Bytes in 535 Pkts           out 0 Bytes out 0
 17/08/2007 21:08:05.693256 STATE:CLOSE 83.98.233.137,50029 ->
 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out
 804 Backward: Pkts in 4 Bytes in 536 Pkts           out 0 Bytes out 0
 17/08/2007 21:08:05.693259 STATE:EXPIRE 218.103.245.251,18652 ->
 10.0.1.1,4999 PR udp Forward: Pkts in 1 Bytes in 90 Pkts out 1 Bytes out 90
 Backward: Pkts in 0 Bytes in 0 Pkts           out 0 Bytes out 0
 17/08/2007 21:08:05.751058 STATE:NEW 83.98.233.137,58881 -> 84.53.148.80,80
 PR tcp
 17/08/2007 21:08:05.794595 STATE:NEW 83.98.233.137,56668 ->
 216.205.80.164,80 PR tcp
 17/08/2007 21:08:05.837965 STATE:NEW 83.98.233.137,50722 -> 84.53.136.27,80
 PR tcp
 17/08/2007 21:08:06.195517 STATE:CLOSE 83.98.233.137,50031 ->
 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out
 804 Backward: Pkts in 4 Bytes in 543 Pkts           out 0 Bytes out 0
 17/08/2007 21:08:06.695216 STATE:CLOSE 83.98.233.137,50033 ->
 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out
 801 Backward: Pkts in 4 Bytes in 537 Pkts           out 0 Bytes out 0
 
 
 -----Original Message-----
 From: Sergey Svishchev [mailto:svs@ropnet.ru] 
 Sent: vrijdag 17 augustus 2007 19:43
 To: bug-followup@FreeBSD.org; remy@unix-asp.com
 Subject: Re: kern/72210
 
 Do you see any outgoing (NAT'd) traffic?
 
 -- 
 Sergey Svishchev
 

From: Sergey Svishchev <svs@ropnet.ru>
To: bug-followup@FreeBSD.org,  remy@unix-asp.com
Cc:  
Subject: Re: kern/72210
Date: Mon, 20 Aug 2007 18:28:30 +0400

 tcpdump reports that outgoing (NAT'd) packets have bad checksum...  Do you 
 see this, too?
 
 -- 
 Sergey Svishchev

From: Sergey Svishchev <svs@ropnet.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/72210
Date: Fri, 14 Sep 2007 22:19:32 +0400

 ipfilter assumes that checksums will be recalculated later [1];
 pf fixes checksums itself.
 
 This works around the problem:
 
 --- sys/contrib/ipfilter/netinet/ip_nat.c.orig	2005-03-13 21:08:56.000000000 +0300
 +++ sys/contrib/ipfilter/netinet/ip_nat.c
 @@ -2450,7 +2450,7 @@ maskloop:
  			CALC_SUMD(s1, s2, sumd);
  			fix_outcksum(fin, &ip->ip_sum, sumd);
  		}
 -#if (SOLARIS || defined(__sgi)) || !defined(_KERNEL)
 +#if (SOLARIS || defined(__sgi)) || defined(__FreeBSD__) || !defined(_KERNEL)
  		else {
  			if (nat->nat_dir == NAT_OUTBOUND)
  				fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd);
 
 
 [1] http://www.mail-archive.com/ipfilter@coombs.anu.edu.au/msg05755.html
 
 -- 
 Sergey Svishchev
Responsible-Changed-From-To: andre->darren 
Responsible-Changed-By: kmacy 
Responsible-Changed-When: Thu Nov 15 23:15:28 UTC 2007 
Responsible-Changed-Why:  

darren is the ipfilter maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72210 
Responsible-Changed-From-To: darren->darrenr 
Responsible-Changed-By: kmacy 
Responsible-Changed-When: Thu Nov 15 23:16:32 UTC 2007 
Responsible-Changed-Why:  

mis-transcribed darren's e-mail 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72210 

From: Eugene Perevyazko <john@dnepro.net>
To: bug-followup@FreeBSD.org, remy@unix-asp.com
Cc:  
Subject: Re: kern/72210: ipnat problem  with IP Fastforward enabled
Date: Tue, 23 Mar 2010 14:04:43 +0200

 I still see this on 7.2-Stable now.
 Maybe this should be fixed at last?
 Although I've moved to ipfw nat and don't care anymore.
 
 -- 
 Eugene Perevyazko
State-Changed-From-To: open->open 
State-Changed-By: linimon 
State-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
State-Changed-Why:  
commit bit has been taken in for safekeeping. 


Responsible-Changed-From-To: darrenr->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=72210 
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:16:26 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72210 
>Unformatted:
This sounds like it is really an ipfilter issue.
