213154 – [patch] allow ipfw nat single pass with ipfw netgraph multi pass

Bug 213154 - [patch] allow ipfw nat single pass with ipfw netgraph multi pass

Summary: [patch] allow ipfw nat single pass with ipfw netgraph multi pass

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	11.0-STABLE
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-ipfw (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2016-10-02 05:06 UTC by John Zielinski
Modified:	2022-10-17 12:36 UTC (History)
CC List:	0 users

See Also:

Attachments
Proposed patch (1.07 KB, patch) 2016-10-02 05:06 UTC, John Zielinski	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Zielinski 2016-10-02 05:06:56 UTC

Created attachment 175361 [details]
Proposed patch

It is very difficult to get ipfw nat to work with stateful firewall (keep-state and check-state) in multi pass mode.  The issue is that the state rules have to come after the nat rules.  This makes keep-state see the external IP while check-state sees the internal IP and it doesn't work.  Easier just to use single pass.

Unfortunately you can't use single pass with certain netgraph nodes like tcpmss.  The packets need to come back.

So I propose we add an additional net.inet.ip.fw.one_pass_nat knob to enable one pass nat when net.inet.ip.fw.one_pass is set to 0 for netgraph, pipes and queues.

Comment 1 Graham Perrin freebsd_committer

2022-10-17 12:36:53 UTC

Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>