Bug 18938

Summary: ipnat fails on dynamically created interfaces (e.g. tun)
Product: Base System Reporter: vons <vons>
Component: kernAssignee: Darern Reed <darrenr>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.0-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description vons 2000-06-01 12:20:01 UTC 
Connections to the internet from any system on my local network fail,
"tcpdump -i tun0" on the firewall shows that the packets going out of
the firewall don't have their source addresses translated.

Digging around in the ipnat code shows that when the nat rules are loaded
at boot time, the in_ifp is set to (void*)-1 since the tun0 interface
doesn't actually exist yet.

Later on, when the tun device is created when ppp is started for the first
time, the rules aren't updated and thus fail to match the outgoing packets.

After flushing and re-loading the nat rules, things start working as
expected since the interface now exists when the rules are added.

Maybe ipnat needs the equivalent of "ipf -y", or is the kernel able to
inform ipfilter/ipnat that a new dynamic interface has been created?

Note that this problem also occurs on my laptop (FreeBSD 3.4 + PAO +
fbsd3.4's ipfilter). When booting, the ed0 device does not exist,
so when the pcmcia network card is inserted after ipnat has started,  
no address translation takes place. Again, reloading the ipnat rules     
after ed0 has been created fixes the problem.

Fix: A work-around is to reload the ipnat rules once the network device
has been created.
An alternative is the following patch (for ipfilter 3.3.16):

-----8<-----
How-To-Repeat: 1) reboot the system (removes any existing tun0 device)

   "ipnat -l" shows that the nat rule has been installed
   but "ifconfig -a" doesn't list the tun0 device yet.        

2) start ppp (creates the tun0 device).

3) try to connect from the private lan to the internet.
   "tcpdump -i tun0" shows that packets are going out with
   10.0.1.x as source address, i.e. untranslated.

4) after flushing and re-loading the nat rules, everything is fine.
Comment 1 Darern Reed freebsd_committer freebsd_triage 2000-09-17 09:39:53 UTC 
Responsible Changed
From-To: freebsd-bugs->darrenr

darrenr is responsible for ipnat
Comment 2 darrenr 2000-09-17 09:53:47 UTC 
If you backout the patch you posted and instead run "ipf -y" after the
tun0 interface has been
brought up, does that solve your problem ?
Comment 3 Darern Reed freebsd_committer freebsd_triage 2000-09-17 10:16:41 UTC 
State Changed
From-To: open->closed

this problem has been resolved.