>Number:         25646
>Category:       kern
>Synopsis:       NAT and fast route don't mix in IPF
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 20 02:03:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Perry E. Metzger
>Release:        NetBSD 2.0E
>Organization:
Perry E. Metzger		perry@piermont.com
--
"Ask not what your country can force other people to do for you..."
>Environment:
	
	
System: NetBSD hackworth 2.0E NetBSD 2.0E (HACKWORTH) #0: Sat May 8 22:31:25 EDT 2004 perry@hackworth:/usr/src/sys/arch/i386/compile/HACKWORTH i386
Architecture: i386
Machine: i386
>Description:
	Up until I upgraded to the new IPF, I had a policy routing
gateway that did roughly the following:

                      +----------slow net with real net block
                      |      
[inside net] ---- [gateway]
                      |
                      +----------fast net via NAT

Some protocols were selectively fast routed to the gateway on the
"fast" network, and NATed. By default others went to the slow network
without NAT.

Following the upgrade, packets will go out on the fast net with their
properly NATed IP addresses, and will be replied to, but the replies
are not forwarded to the inside net.

>How-To-Repeat:
	See above.
>Fix:
	
>Release-Note:
>Audit-Trail:
>Unformatted: