ipnat is not working correctly after enabling IP Fastforward. ipmon shows NAT:MAP and NAT:RDR connections but don't seem to work on clients pc's. I couldn't find any solutions at the usual places. Andre Opperman suggested I created this PR. Fix: Disable IP fastforward. sysctl net.inet.ip.fastforwarding=0 How-To-Repeat: Enable IP fastforward. sysctl net.inet.ip.fastforwarding=1
Responsible Changed From-To: freebsd-i386->andre Take over.
This is a very stange problem. Everything works fine with ipfw and pf/nat but not with ipfilter/ipnat. I'm a little bit at loss why ipnat breaks when doing fastforwarding. Need to check with Darren. -- Andre
Do you see any outgoing (NAT'd) traffic? -- Sergey Svishchev
Hi, I submitted this bug 3 years ago! And it's still not working. I see outgoing packets but nothings gets through (timeouts): 17/08/2007 21:08:05.693252 STATE:CLOSE 83.98.233.137,50027 -> 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out 800 Backward: Pkts in 4 Bytes in 535 Pkts out 0 Bytes out 0 17/08/2007 21:08:05.693256 STATE:CLOSE 83.98.233.137,50029 -> 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out 804 Backward: Pkts in 4 Bytes in 536 Pkts out 0 Bytes out 0 17/08/2007 21:08:05.693259 STATE:EXPIRE 218.103.245.251,18652 -> 10.0.1.1,4999 PR udp Forward: Pkts in 1 Bytes in 90 Pkts out 1 Bytes out 90 Backward: Pkts in 0 Bytes in 0 Pkts out 0 Bytes out 0 17/08/2007 21:08:05.751058 STATE:NEW 83.98.233.137,58881 -> 84.53.148.80,80 PR tcp 17/08/2007 21:08:05.794595 STATE:NEW 83.98.233.137,56668 -> 216.205.80.164,80 PR tcp 17/08/2007 21:08:05.837965 STATE:NEW 83.98.233.137,50722 -> 84.53.136.27,80 PR tcp 17/08/2007 21:08:06.195517 STATE:CLOSE 83.98.233.137,50031 -> 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out 804 Backward: Pkts in 4 Bytes in 543 Pkts out 0 Bytes out 0 17/08/2007 21:08:06.695216 STATE:CLOSE 83.98.233.137,50033 -> 69.147.83.33,80 PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 5 Bytes out 801 Backward: Pkts in 4 Bytes in 537 Pkts out 0 Bytes out 0 -----Original Message----- From: Sergey Svishchev [mailto:svs@ropnet.ru] Sent: vrijdag 17 augustus 2007 19:43 To: bug-followup@FreeBSD.org; remy@unix-asp.com Subject: Re: kern/72210 Do you see any outgoing (NAT'd) traffic? -- Sergey Svishchev
tcpdump reports that outgoing (NAT'd) packets have bad checksum... Do you see this, too? -- Sergey Svishchev
ipfilter assumes that checksums will be recalculated later [1]; pf fixes checksums itself. This works around the problem: --- sys/contrib/ipfilter/netinet/ip_nat.c.orig 2005-03-13 21:08:56.000000000 +0300 +++ sys/contrib/ipfilter/netinet/ip_nat.c @@ -2450,7 +2450,7 @@ maskloop: CALC_SUMD(s1, s2, sumd); fix_outcksum(fin, &ip->ip_sum, sumd); } -#if (SOLARIS || defined(__sgi)) || !defined(_KERNEL) +#if (SOLARIS || defined(__sgi)) || defined(__FreeBSD__) || !defined(_KERNEL) else { if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd); [1] http://www.mail-archive.com/ipfilter@coombs.anu.edu.au/msg05755.html -- Sergey Svishchev
Responsible Changed From-To: andre->darren darren is the ipfilter maintainer
Responsible Changed From-To: darren->darrenr mis-transcribed darren's e-mail
I still see this on 7.2-Stable now. Maybe this should be fixed at last? Although I've moved to ipfw nat and don't care anymore. -- Eugene Perevyazko
State Changed From-To: open->open commit bit has been taken in for safekeeping.
Responsible Changed From-To: darrenr->freebsd-net
Responsible Changed From-To: freebsd-net->cy Mine.
A commit references this bug: Author: cy Date: Sun Dec 20 18:02:13 UTC 2015 New revision: 292518 URL: https://svnweb.freebsd.org/changeset/base/292518 Log: Don't assume checksums will be calculated later when fastfoward is enabled (by default in r290383). PR: 72210 MFC after: 1 week Changes: head/sys/contrib/ipfilter/netinet/ip_nat.c
A commit references this bug: Author: cy Date: Sun Dec 27 23:25:21 UTC 2015 New revision: 292811 URL: https://svnweb.freebsd.org/changeset/base/292811 Log: MFC r292518. Don't assume checksums will be calculated later when fastfoward is enabled (by default in r290383). PR: 72210 Changes: _U stable/10/ stable/10/sys/contrib/ipfilter/netinet/ip_nat.c
Fixed.
A commit references this bug: Author: cy Date: Wed Mar 16 02:01:17 UTC 2016 New revision: 296924 URL: https://svnweb.freebsd.org/changeset/base/296924 Log: Don't assume checksums will be calculated later when fastfoward is enabled. This is a direct commit to the stable/9 because this branch uses ipfilter 4.1.28 whereas head has ipfilter 5.1.2. This corresponds to r292518 and r292813 in head and r292979 and r292811 in stable/10. PR: 72210 Changes: stable/9/sys/contrib/ipfilter/netinet/ip_nat.c