>Number: 148827 >Category: kern >Synopsis: [ipfw] divert broken with in-kernel ipfw >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 21 21:40:04 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Spil >Release: 8.1 Release >Organization: >Environment: FreeBSD gw.example.org 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Wed Jul 21 06:55:14 CEST 2010 >Description: Migrating from 8.0 to 8.1 using a recipe similar to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html "30.6.5.7 An Example NAT and Stateful Ruleset" breaks NAT
The culprit are the ipfw rules $cmd 100 divert natd ip from any to any in via $pif $cmd 500 divert natd ip from any to any out via $pif This no longer results in the NATting as on 8.0 As of 8.1 it must be $cmd 100 divert natd ip4 from any to any in via $pif $cmd 500 divert natd ip4 from any to any out via $pif man-page specifically states for proto ip | all Matches any packet. but obviously for 8.1 it doesn't (in a divert rule?) >How-To-Repeat: In-kernel ipfw Usage of natd proto 'ip' in the rule body >Fix: change proto from ip to ip4 in divert natd ipfw rules >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
