>Number: 150798 >Category: kern >Synopsis: ipfw2 fwd rule matches packets but does not do the job in fact. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 21 21:40:02 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Andrey Voitenkov >Release: tag=RELENG_8_1 date=2010.08.08.00.00.00 >Organization: >Environment: FreeBSD thin.XXX.ua 8.1-RELEASE FreeBSD 8.1-RELEASE #1: Tue Aug 24 18:08:01 EEST 2010 r...@thin.xxx.ua:/usr/obj/usr/src/sys/THIN amd64 >Description: Faced a strange issue - fwd rule matches packets but does not do the job in fact.
The test host has 2 active interfaces: fxp0 with 10.0.1.115/24 and em0 with 10.0.0.66/24. Default route is set to 10.0.1.1. There is also router 10.0.0.1 available via em0. The ruleset: # ipfw -d show 00050 0 0 allow ip from any to any via lo0 00055 0 0 allow ip6 from any to any via lo0 00200 4 220 skipto 700 log logamount 100 tag 1 ip from any to any dst-ip 10.0.0.66 in 00210 8 440 skipto 700 log logamount 100 tag 1 ip from any to any src-ip 10.0.0.66 out 00300 0 0 allow icmp from any to any 00600 19 1540 allow tcp from any to me dst-port 22 in 00610 17 1932 allow tcp from me 22 to any out 00700 0 0 check-state 00710 5 240 deny log logamount 100 tcp from any to any established 00720 2 120 skipto 2000 log logamount 100 ip from any to any tagged 1 00800 0 0 allow tcp from me to any out setup keep-state 00810 0 0 allow udp from me to any out keep-state 00820 0 0 allow tcp from any to 10.0.1.115 dst-port 80 in setup keep-state 00830 0 0 allow tcp from any to 10.0.1.115 dst-port 21 in setup keep-state 01000 11 528 skipto 65000 log logamount 100 ip from any to any 02000 0 0 skipto 60000 log logamount 100 tcp from me to any out setup keep-state 02010 0 0 skipto 60000 log logamount 100 udp from me to any out keep-state 02020 0 0 skipto 60000 log logamount 100 icmp from any to any keep-state 02030 4 240 skipto 60000 log logamount 100 tcp from any to me dst-port 25,465,587 in setup keep-state 02040 3 180 skipto 60000 log logamount 100 tcp from any to me dst-port 143,993 in setup keep-state 03000 0 0 skipto 65000 log logamount 100 ip from any to any 60000 7 420 count ip from any to any 60010 3 180 allow log logamount 100 ip from any to any in tagged 1 60020 4 240 fwd 10.0.0.1 log logamount 100 ip from 10.0.0.66 to any out 65000 11 528 deny log logamount 100 ip from any to any 65001 0 0 deny ip6 from any to any 65535 348792682 269452781083 allow ip from any to any ## Dynamic rules (2): 02030 3 180 (298s) STATE tcp 192.168.0.86 39598 <-> 10.0.0.66 465 02040 2 120 (300s) STATE tcp 91.215.8.2 55670 <-> 10.0.0.66 143 ----------------------------------------------------------------- Trying to connect to 10.0.0.66 port 465 (exim is up and running) from host 192.168.0.86, ipfw.log looks exactly as I expected: Sep 21 23:46:31 thin kernel: ipfw: 200 SkipTo 700 TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:31 thin kernel: ipfw: 720 SkipTo 2000 TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:31 thin kernel: ipfw: 2030 SkipTo 60000 TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:31 thin kernel: ipfw: 60010 Accept TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:31 thin kernel: ipfw: 210 SkipTo 700 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:31 thin kernel: ipfw: 2030 SkipTo 60000 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:31 thin kernel: ipfw: 60020 Forward to 10.0.0.1 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:34 thin kernel: ipfw: 200 SkipTo 700 TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:34 thin kernel: ipfw: 2030 SkipTo 60000 TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:34 thin kernel: ipfw: 60010 Accept TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:34 thin kernel: ipfw: 210 SkipTo 700 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:34 thin kernel: ipfw: 2030 SkipTo 60000 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:34 thin kernel: ipfw: 60020 Forward to 10.0.0.1 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:37 thin kernel: ipfw: 200 SkipTo 700 TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:37 thin kernel: ipfw: 2030 SkipTo 60000 TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:37 thin kernel: ipfw: 60010 Accept TCP 192.168.0.86:39598 10.0.0.66:465 in via em0 Sep 21 23:46:37 thin kernel: ipfw: 210 SkipTo 700 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:37 thin kernel: ipfw: 2030 SkipTo 60000 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 Sep 21 23:46:37 thin kernel: ipfw: 60020 Forward to 10.0.0.1 TCP 10.0.0.66:465 192.168.0.86:39598 out via fxp0 ----------------------------------------------------------------- But client does not get response from the test host. In spite of the fact the the rule 60020 matches the ack's, I still see them on fxp0 going out to the default gw: # tcpdump -n -i em0 src 192.168.0.86 or dst 192.168.0.86 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 23:46:31.188517 IP 192.168.0.86.39598 > 10.0.0.66.465: Flags [S], seq 579129109, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 2443437844 ecr 0], length 0 23:46:34.188457 IP 192.168.0.86.39598 > 10.0.0.66.465: Flags [S], seq 579129109, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 2443440844 ecr 0], length 0 23:46:37.388808 IP 192.168.0.86.39598 > 10.0.0.66.465: Flags [S], seq 579129109, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 2443444044 ecr 0], length 0 # tcpdump -n -i fxp0 src 192.168.0.86 or dst 192.168.0.86 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 23:46:31.188609 IP 10.0.0.66.465 > 192.168.0.86.39598: Flags [S.], seq 1231665894, ack 579129110, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 3020614121 ecr 2443437844], length 0 23:46:34.188526 IP 10.0.0.66.465 > 192.168.0.86.39598: Flags [S.], seq 1231665894, ack 579129110, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 3020614121 ecr 2443440844], length 0 23:46:37.188384 IP 10.0.0.66.465 > 192.168.0.86.39598: Flags [S.], seq 1231665894, ack 579129110, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 3020614121 ecr 2443440844], length 0 ----------------------------------------------------------------- Tried a couple of variations of rule 60020: fwd 10.0.0.1 log logamount 100 src-ip 10.0.0.66 out fwd 10.0.0.1 log logamount 100 tagged 1 out result is exactly the same. At the same time this 60020 rule works fine for outgoing connections from the test host: % telnet -s 10.0.0.66 192.168.0.86 25 Trying 192.168.0.86... Connected to 192.168.0.86. Escape character is '^]'. ^C Outgoing packets are matched and forwarded as expected. ----------------------------------------------------------------- fwd works ok with a very simple ruleset in the same test case: 00050 490 363540 allow ip from any to any via lo0 00055 0 0 allow ip6 from any to any via lo0 00100 596 240883 fwd 10.0.0.1 ip from 10.0.0.66 to any out xmit fxp0 65535 348794572 269453265568 allow ip from any to any >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
