13.1: "ipfw forward" TESTCASE for crosscheck
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 28 Mar 2022 00:33:43 UTC
I did now a testcase, as follows: =================================================================== root@zwlf:~ # cat /boot/loader.conf net.fibs="3" net.inet.ip.fw.default_to_accept=1 root@zwlf:~ # uname -a FreeBSD zwlf 12.3-RELEASE FreeBSD 12.3-RELEASE r371126 GENERIC amd64 root@zwlf:~ # kldload ipfw root@zwlf:~ # ipfw show 65535 31 2392 allow ip from any to any root@zwlf:~ # ifconfig tun0 create root@zwlf:~ # ifconfig tun0 inet 1.1.1.1 1.1.1.3 root@zwlf:~ # cat < /dev/tun0 > /dev/null & [1] 745 root@zwlf:~ # sysctl -a | grep one_pass net.inet.ip.fw.one_pass: 1 root@zwlf:~ # ipfw add 1 fwd 1.1.1.3 all from any to 2.2.2.2 out root@zwlf:~ # ping 2.2.2.2 PING 2.2.2.2 (2.2.2.2): 56 data bytes root@zwlf:~ # tcpdump -nitun0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes 01:50:48.245471 IP 192.168.1.12 > 2.2.2.2: ICMP echo request, id 1027, seq 57, length 64 01:50:49.270479 IP 192.168.1.12 > 2.2.2.2: ICMP echo request, id 1027, seq 58, length 64 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel root@zwlf:~ # tcpdump -nivtnet0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes =========================================================================== root@dzhn:~ # cat /boot/loader.conf net.fibs="3" net.inet.ip.fw.default_to_accept=1 root@dzhn:~ # uname -a FreeBSD dzhn 13.1-PRERELEASE FreeBSD 13.1-PRERELEASE #2 local/stable/13-n249898-b64a3b409a5-dirty: Mon Mar 7 03:07:03 CET 2022 root@dzhn:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 root@dzhn:~ # kldload ipfw root@dzhn:~ # ipfw show 65535 6 496 allow ip from any to any root@dzhn:~ # ifconfig tun0 create root@dzhn:~ # ifconfig tun0 inet 1.1.1.1 1.1.1.3 root@dzhn:~ # cat < /dev/tun0 > /dev/null & [1] 728 root@dzhn:~ # sysctl -a | grep one_pass net.inet.ip.fw.one_pass: 1 root@dzhn:~ # ping 2.2.2.2 PING 2.2.2.2 (2.2.2.2): 56 data bytes root@dzhn:~ # tcpdump -nitun0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes root@dzhn:~ # tcpdump -nivtnet0 "host 2.2.2.2" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:01:46.861543 IP 192.168.1.13 > 2.2.2.2: ICMP echo request, id 60162, seq 34, length 64 02:01:47.876647 IP 192.168.1.13 > 2.2.2.2: ICMP echo request, id 60162, seq 35, length 64 =========================================================================== So far, this does not look like it would work as expected. But the strangeness is, before I tried to migrate my entire backbone to Rel. 13 (and now reverted back to 12.3), I did a pilot. That pilot runs it's traffic via "ipfw forward", all the time, and it works flawlessly! (And the rulesets are software-generated, they should be all the same everywhere.) This is the pilot: FreeBSD 13.1-STABLE #0 n250057-80a5bb34a50[80a5bb34a50=19b779498ca+22]: Thu Mar 17 19:48:04 CET 2022 And the thing that I just tried to install to the backbone is this one: FreeBSD 13.1-STABLE #0 n250124-185a4cbf602[185a4cbf602=6018f775ceb+24]: Sun Mar 27 00:57:26 CET 2022 This doesn't make sense... there must be something else involved. So, if You can, please cross-check this testcase.