ipnat is definitely broken in RELENG_5_4

From: Billy Newsom (smartweb_at_leadhill.net)
Date: 05/31/05

  • Next message: Mark Andrews: "Re: heavy named problems" 
    Date: Tue, 31 May 2005 00:03:25 -0500
To: freebsd-stable@freebsd.org

    I posted previously that ipnat failed to start after I upgraded to
    FreeBSD 5.4. On the same machine, I am having additional ipnat failures.

    I reported the first time that ipnat failed to start on the first boot.

    I am now reporting that on the second boot, ipnat loaded and installed
    its tables, as expected. A quick "ipnat -vls" at boot confirmed this.
      YEAH! But ON SECOND LOOK, I found out that ipnat was failing to do
    its normal network translation. A subsequent "ipnat -vls" confirmed
    that there were no statistics for anything a day later -- all 0's, but I
    should have been mapping in and out a lot of connections.

    So I cleared ipnat's tables and reloaded the same ones. Instantly some
    connections that were waiting to start were NATed in, and I saw some
    active connections in the NAT statistics. There had apparently been
    none since the second boot using FreeBSD 5.4.

    I am adding this to the PR I filed, because something is still amiss. I
    am now trying to figure out how to write a babysitter script for ipnat,
    so it runs at boot, and maybe periodically to ensure NAT is on. If I am
    away from this server, I wonder what I would do if I depended on
    ipnat??? I would be firewalled out, essentially, needing to login
    locally. This is major, so I am going to keep being persistent about it.

    Thanks for any insight or workarounds... Still need to try enabling ipv6
    in rc.conf as someone suggested??? Does that seem right?

    Here's a few sanitized shell outputs. We have changed the port numbers
    to protect the innocent.

    Sun May 29 18:19:29 CDT 2005
    [[My bootup time]]
    # ipnat -vls
    mapped in 0 out 0
    added 0 expired 0
    no memory 0 bad nat 0
    inuse 0
    rules 6
    wilds 0
    table 0xbfbfebc8 list 0xc1bc6e00
    List of active MAP/Redirect filters:
    rdr oo0 192.168.1.2/32 port 899 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 21111 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 1238 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 1234 -> 127.0.0.1 port 56 tcp
    rdr oo0 192.168.1.2/32 port 1236 -> 127.0.0.1 port 192 tcp
    rdr oo0 192.168.1.2/32 port 1237 -> 192.168.0.2 port 152 tcp

    List of active sessions:

    List of active host mappings:

    [And I did this on the 30th!!! with no statistics a day later]]

    # ipnat -vls
    mapped in 0 out 0
    added 0 expired 0
    no memory 0 bad nat 0
    inuse 0
    rules 6
    wilds 0
    table 0xbfbfeba8 list 0xc1bc6e00
    List of active MAP/Redirect filters:
    rdr oo0 192.168.1.2/32 port 899 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 21111 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 1238 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 1234 -> 127.0.0.1 port 56 tcp
    rdr oo0 192.168.1.2/32 port 1236 -> 127.0.0.1 port 192 tcp
    rdr oo0 192.168.1.2/32 port 1237 -> 192.168.0.2 port 152 tcp

    List of active sessions:

    List of active host mappings:

    # ipnat -C
    6 entries flushed from NAT list

    # ipnat -vls
    mapped in 0 out 0
    added 0 expired 0
    no memory 0 bad nat 0
    inuse 0
    rules 0
    wilds 0
    table 0xbfbfeba8 list 0x0
    List of active MAP/Redirect filters:

    List of active sessions:

    List of active host mappings:

    # ipnat -f /etc/ipnat.rules

    [Here is a few minutess later....]
    # ipnat -vls
    mapped in 14 out 12
    added 1 expired 0
    no memory 0 bad nat 0
    inuse 1
    rules 6
    wilds 0
    table 0xbfbfeba8 list 0xc43f1a00
    List of active MAP/Redirect filters:
    rdr oo0 192.168.1.2/32 port 899 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 21111 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 1238 -> 127.0.0.1 port 99 tcp
    rdr oo0 192.168.1.2/32 port 1234 -> 127.0.0.1 port 56 tcp
    rdr oo0 192.168.1.2/32 port 1236 -> 127.0.0.1 port 192 tcp
    rdr oo0 192.168.1.2/32 port 1237 -> 192.168.0.2 port 152 tcp

    List of active sessions:
    RDR 127.0.0.1 99 <- -> 192.168.1.2 899 [16.10.10.211 42666]
             age 438 use 0 sumd 0xba36/0xba36 pr 6 bkt 251/408 flags 1 drop 0/0
             ifp oo0 bytes 8532 pkts 26

    List of active host mappings:

    _______________________________________________
    freebsd-stable@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-stable
    To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

  • Next message: Mark Andrews: "Re: heavy named problems"

    Relevant Pages

    • Re: Changing the NAT IP on demand?
      ... >> somehow tell NAT which outside address to use. ... you may be able to do this with ipfilter's ipnat. ... This should leave the existing stateful mappings to the formerly ... a feature that intriques him enough to pique his interest in making it ...
      (freebsd-hackers)
    • System Freeze w/ IPNAT
      ... We have a box doing routing and NAT using IPNAT that freezes up after a couple ... What we are doing is just Nat'ing a portion of the network ...
      (freebsd-questions)
    • FreeBSD und IPNAT ?
      ... Soweit ich das verstehe kommt IPNAT aus dem ipf-Universum. ... Durchsatz bringen sollte als der userland natd. ... hat um die internen NAT tables zu manipulieren - damit ... balancing nat für FreeBSD gesichtet (multiple routes + ...
      (de.comp.os.unix.bsd)
    • Re: ipnat memory leak?
      ... > I was using ipfw and natd but I wanted to move nat into the kernel so I ... > recompiled with ipfilter and ipnat. ... Has anyone else seen a memory leak in ipnat ...
      (freebsd-current)