Subject: ipfilter 4.1.6 fastroute (nat?) problem
To: None <current-users@netbsd.org>
From: Arto Selonen <arto@selonen.org>
List: current-users
Date: 02/24/2005 14:50:12
Hi!
On Feb 19th, Erik Bertelsen reported ipfilter/nat problems here on
current-users: http://mail-index.netbsd.org/current-users/2005/02/19/0012.html
I haven't seen anything related to it since, so here is a 'me too'
report, in case it helps track this down. Having been bitten by
kern/27079 in a system where kern/17875 may also be an issue, I was hoping
to finally get fastrouted packets flowing again with ipfilter 4.1.6.
So, I udated sources with whatever us2-anoncvs mirror gave this morning
(20050224), and did a normal, full upgrade to -current.
This is a simplified network setup:
PUB-NET <---> IPF-416-BOX <---> IANA-NET
There is a fastroute/keep-state ipfilter rule in the problem box to
connect to target IPs in the IANA address space network behind it,
from the public address side (routing is not an issue here). This
also bypasses NAT used for hiding those IANA addresses.
Trying to make a test SSH connection from public to private goes through
the box as expected, but tcpdump at the target system (old Linux laptop)
gives pretty much a similar output as reported earlier by Erik:
13:58:22.658571 truncated-ip - 15300 bytes missing!name.example.com.5680 >
192.168.242.231.ssh: 3796056737:3796072037(15300) win 32768 <mss
1460,nop,wscale 0,nop,nop,timestamp 84 0>
Is this a known issue, is anyone working on it, is there a known
workaround? Should somebody file a PR on this (or did I miss an existing
one)? I would be happy to help any way I can (=mainly testing patches and
traffic patterns, or providing details about the setup).
Details:
/etc/ipf.conf rule for PUB->IANA connection:
pass in log first quick on wm0 to wm2 proto tcp from some.public/24 to any flags S keep state group 10101
/etc/ipnat.conf rules related to connection pair:
map wm0 0/0 -> public.ip/32 proxy port ftp ftp/tcp
map wm0 192.168.242.0/24 -> public.ip/32 portmap tcp/udp 1025:65000
map wm0 192.168.242.0/24 -> public.ip/32
ipf: IP Filter: v4.1.6 (396)
INET6 is commented out in kernel config. SSH connections from private
to public side with NAT in use work OK. Further details available upon
request.
Artsi
--
#######======------ http://www.selonen.org/arto/ --------========########
Everstinkuja 5 B 35 Don't mind doing it.
FIN-02600 Espoo arto@selonen.org Don't mind not doing it.
Finland tel +358 50 560 4826 Don't know anything about it.