240400 – ipnat not working some time after a lot of calls to the "map" or "rdr" rules (drop packets)

Bug 240400 - ipnat not working some time after a lot of calls to the "map" or "rdr" rules (drop packets)

Summary: ipnat not working some time after a lot of calls to the "map" or "rdr" rules ...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	11.2-RELEASE
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Cy Schubert

URL:
Keywords:

Depends on:	208566
Blocks:
	Show dependency tree / graph

Reported:	2019-09-07 23:11 UTC by DYM
Modified:	2019-09-10 16:03 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description DYM 2019-09-07 23:11:55 UTC

#uname -a
FreeBSD test 11.2-RELEASE-p14 FreeBSD 11.2-RELEASE-p14 #0 r351966: Sat Sep  7 01:29:14 CEST 2019 GENERIC  amd64

# cat messages | grep "IP Filter"
kernel: IP Filter: v5.1.2 initialized.  Default = pass all, Logging = enabled 

# cat ipf.rules
pass in quick all
pass out quick all

# cat ipnat.rules
rdr igb0 xxx.xxx.xxx.xxx/32 port 80 -> yyy.yyy.yyy.yyy port 80
rdr igb0 xxx.xxx.xxx.xxx/32 port 443 -> yyy.yyy.yyy.yyy port 443
map igb0 xxx.xxx.xxx.xxx/32 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32 proxy port ftp ftp/tcp
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32 portmap tcp/udp 40000:50000
map igb0 yyy.yyy.yyy.0/24 -> xxx.xxx.xxx.xxx/32

xxx.xxx.xxx.xxx -- IP on WAN interface igb0
yyy.yyy.yyy.yyy -- IP on LAN machine with http service
yyy.yyy.yyy.0/24 -- LAN

Some time after a lot of calls to the map rules:
# ipfstat | egrep 'NAT failure'
158	input block reason IPv4 NAT failure
0	input block reason IPv6 NAT failure
0	output block reason IPv4 NAT failure
0	output block reason IPv6 NAT failure

Some time after a lot of calls to the rdr rules:
# ipfstat | egrep 'NAT failure'
159	input block reason IPv4 NAT failure
0	input block reason IPv6 NAT failure
267	output block reason IPv4 NAT failure
0	output block reason IPv6 NAT failure

It is present both with the GENERIC kernel and a freshly installed system, and with a rebuilded kernel and world.

Comment 1 Cy Schubert freebsd_committer

2019-09-10 02:52:54 UTC

ipnat -lv output, please.

Comment 2 Cy Schubert freebsd_committer

2019-09-10 03:12:39 UTC

11.2-RELEASE does not have r338047, the bucket index fix. Update to 11.3-STABLE first, please. Or see PR/208566 for the fix.

Comment 3 Kubilay Kocak freebsd_committer

2019-09-10 03:45:15 UTC

(In reply to Cy Schubert from comment #2)

Is this then affectively Closed->FIXED (committed in head, merged to affected stable branches, to come in next -RELEASE) ?

It's fine not to keep issues Open until -RELEASE time, unless the issue is also an EN candidate and that hasn't been released to users yet

Comment 4 Cy Schubert freebsd_committer

2019-09-10 03:55:41 UTC

Yes, this was fixed in HEAD by r338047 on Aug 18, 2018. MFCed to 12-STABLE and 11-STABLE and 12-STABLE by r338171 three days later. It was included in releases/11.3.0 when it was branched. It will never be merged back into releng/11.2.

The user may apply the patch from PR/208566 himself or it is recommended he update to 11-STABLE, which contains all the latest patches to HEAD (except VIMAGE).