Hi, sorry for my english, but there was a problem when testing FreeBSD 11 with IPFW NAT. There rc.firewall configuration rules, which FreeBSD 10{0,1,2,3} works without problems rc.firewall ... ${fwcmd} nat 1 config log ip xx.yy.zz.254 reset same_ports deny_in unreg_only ${fwcmd} nat 2 config log ip xx.yy.zz.253 reset same_ports deny_in unreg_only ${fwcmd} nat 3 config log ip xx.yy.zz.252 reset same_ports deny_in unreg_only ${fwcmd} nat 4 config log ip xx.yy.zz.251 reset same_ports deny_in unreg_only ${fwcmd} nat 5 config log ip xx.yy.zz.250 reset same_ports deny_in unreg_only ... ${fwcmd} add 10000 nat tablearg ip4 from not me to table\(3\) in recv vlan0 ... ${fwcmd} add 15000 nat tablearg ip4 from table\(4\) to not me out xmit vlan0 ... ${fwcmd} table 3 add xx.yy.zz.254/32 1 ${fwcmd} table 3 add xx.yy.zz.253/32 2 ${fwcmd} table 3 add xx.yy.zz.252/32 3 ${fwcmd} table 3 add xx.yy.zz.251/32 4 ${fwcmd} table 3 add xx.yy.zz.250/32 5 ... ${fwcmd} table 4 add 10.11.0.0/22 1 ${fwcmd} table 4 add 10.11.4.0/22 2 ${fwcmd} table 4 add 10.11.8.0/22 3 ${fwcmd} table 4 add 10.11.12.0/22 4 ${fwcmd} table 4 add 10.11.16.0/22 5 when viewing the rules in FreeBSD 10.3 command: ipfw list, result: ... 10000 nat tablearg ip4 from not me to table(3) in recv vlan0 ... 15000 nat tablearg ip4 from table(4) to not me out xmit vlan0 ... but in freebsd 11 result: ... 10000 nat global ip4 from not me to table(3) in recv vlan0 ... 15000 nat global ip4 from table(4) to not me out xmit vlan0 and IPFW NAT don't work This is a BUG or a new mechanism of work IPFW NAT in FreeBSD 11?
Created attachment 173458 [details] Proposed patch Can you test this patch? You need to rebuild ipfw module or kernel (if it is build in) and ipfw(8). To rebuild sbin/ipfw you can use the following commands: # cd /path/to/src # make DEBUG_FLAGS=-I`pwd`/sys -C sbin/ipfw all install
Andrey, this patch works on FreeBSD 11.0-BETA4 FreeBSD 11.0-BETA4 #1 r303901M: Wed Aug 10 15:34:23 MSK 2016 Thanks
A commit references this bug: Author: ae Date: Thu Aug 11 10:10:11 UTC 2016 New revision: 303955 URL: https://svnweb.freebsd.org/changeset/base/303955 Log: Restore "nat global" support. Now zero value of arg1 used to specify "tablearg", use the old "tablearg" value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace hardcoded magic number to specify "nat global". Also replace 65535 magic number with corresponding macro. Fix typo in comments. PR: 211256 Tested by: Victor Chernov MFC after: 3 days Changes: head/sbin/ipfw/ipfw2.c head/sys/netinet/ip_fw.h head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_sockopt.c
A commit references this bug: Author: ae Date: Sun Aug 14 14:50:33 UTC 2016 New revision: 304079 URL: https://svnweb.freebsd.org/changeset/base/304079 Log: MFC r303955: Restore "nat global" support. Now zero value of arg1 used to specify "tablearg", use the old "tablearg" value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace hardcoded magic number to specify "nat global". Also replace 65535 magic number with corresponding macro. Fix typo in comments. PR: 211256 Changes: _U stable/11/ stable/11/sbin/ipfw/ipfw2.c stable/11/sys/netinet/ip_fw.h stable/11/sys/netpfil/ipfw/ip_fw2.c stable/11/sys/netpfil/ipfw/ip_fw_sockopt.c
A commit references this bug: Author: ae Date: Sun Aug 14 16:32:24 UTC 2016 New revision: 304084 URL: https://svnweb.freebsd.org/changeset/base/304084 Log: Merge from stable/11 r304079: Restore "nat global" support. Now zero value of arg1 used to specify "tablearg", use the old "tablearg" value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace hardcoded magic number to specify "nat global". Also replace 65535 magic number with corresponding macro. Fix typo in comments. PR: 211256 Approved by: re (kib) Changes: _U releng/11.0/ releng/11.0/sbin/ipfw/ipfw2.c releng/11.0/sys/netinet/ip_fw.h releng/11.0/sys/netpfil/ipfw/ip_fw2.c releng/11.0/sys/netpfil/ipfw/ip_fw_sockopt.c
Fixed in head/, stable/11 and releng/11.0. Thanks!