Re: IPFilter RDR rules [was: IPFilter issue in -current]

[Darren Reed <darrenr%netbsd.org@localhost>]

On 9/01/2013 4:41 PM, Geoff Adams wrote:
...
> Whoops. I skipped an important rule. That should have been:
> 
> map wm0 192.168.10.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map wm0 192.168.10.0/24 -> 0/32
> 
> rdr wm0 7.8.9.10/32 port 56789 -> 192.168.10.11 port 56789 tcp/udp

Are you able to provide an example of what exactly failed?

i.e. was it creating redirect entries for UDP or TCP or ICMP?

If you can apply the attached patch to the kernel and also to
ipmon and run with both (use "ipmon -oN"), it should print out
the NAT entry that it wanted to create but failed because of
something else already existing in the kernel.

What I would like to understand is under what circumstances did
you run into this problem. Is it something like a TCP connection
from a.b.c.d,e to f.g.h.i,j was made and then closed but IPF keeps
it around for longer than the kernels do so the new one fails when
it comes from f.g.i.h,j to a.b.c.d,e?

Darren

Index: ip_nat.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_nat.c,v
retrieving revision 2.357.2.43
diff -u -r2.357.2.43 ip_nat.c
--- ip_nat.c    12 Jan 2013 02:37:44 -0000      2.357.2.43
+++ ip_nat.c    31 Dec 2012 00:56:39 -0000
@@ -3277,6 +3277,9 @@
 
        goto done;
 badnat:
+       if (move == -1) {
+               ipf_nat_log(softc, softn, nat, NL_NEW_FAIL);
+       }
        DT2(ns_badnatnew, fr_info_t *, fin, nat_t *, nat);
        NBUMPSIDE(fin->fin_out, ns_badnatnew);
        if ((hm = nat->nat_hm) != NULL)
Index: ip_nat.h
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_nat.h,v
retrieving revision 2.143.2.13
diff -u -r2.143.2.13 ip_nat.h
--- ip_nat.h    10 Jan 2013 02:26:01 -0000      2.143.2.13
+++ ip_nat.h    31 Dec 2012 00:56:23 -0000
@@ -591,6 +591,7 @@
 
 #define        NL_NEW          0
 #define        NL_CLONE        1
+#define        NL_NEW_FAIL     2
 #define        NL_PURGE        0xfffc
 #define        NL_DESTROY      0xfffd
 #define        NL_FLUSH        0xfffe
Index: tools/ipmon.c
===================================================================
RCS file: /devel/CVS/IP-Filter/tools/ipmon.c,v
retrieving revision 1.72.2.8
diff -u -r1.72.2.8 ipmon.c
--- tools/ipmon.c       22 Jul 2012 07:59:00 -0000      1.72.2.8
+++ tools/ipmon.c       31 Dec 2012 00:56:55 -0000
@@ -709,6 +709,10 @@
                strcpy(t, "NAT:NEW");
                break;
 
+       case NL_NEW_FAIL :
+               strcpy(t, "NAT:NEW_FAIL");
+               break;
+
        case NL_FLUSH :
                strcpy(t, "NAT:FLUSH");
                break;