FreeBSD 10.0 RELEASE and problems with ip forwarding

    The mechanisms for working with the IP stack v4 in the new release of FreeBSD 10.0 have been many changes.
    Including the mechanism of ip fordwarding has been changed. In particular, the kernel options option IPFIREWALL_FORWARD was removed, as described in the updates for the release. Now this functionality is constantly on and the need for such an option has simply disappeared. But there is a small nuance.

    Its essence is as follows - if ipfw rules are used, then everything works except for one but often used case.
    ipfw fwd XXXX all from AAAA to BBBB The condition for the error to occur is that the source packet must go to the int_1 interface according to the routing rules and the XXXX address should be behind the other int_2 interface.


    The ipfw fwd XXXX rule sends packets to / dev / null when X.X.X.X. is on a different interface than the original packet.
    Such rules are often used to organize parallel physical channels for duplication or to organize different routes based on the source address packages.
    The packet gets to the log, but it is not on the output interface.
    As it turned out, this problem manifested itself in other people. Here is a way to solve the problem. Adding one missing line resolves the issue in the current release. After rebuilding the kernel, the rules behave predictably and work, although in the industrial version it is too early to launch it - I have not finished checking for correctness in other places.
    Interestingly enough, there is very little material about this problem, and when I came across this behavior ipfw did not even immediately understand what was happening.

    PS. In some cases, I observe a duplication of outgoing packets passing through the ipfw fwd rule, which in general does no harm - but the behavior is still strange. Especially due to the fact that the backdoor is sometimes. So far I have not found the logic.

    PPS I also met the recommendation to upgrade to 10.0.Stable where this IP stack error is fixed. But the release is still a release. A dynamic version “in development” is clearly not good for work. Well, the conclusion is that, unfortunately, 10 is not yet recommended for commercial operation ... Which is very unfortunate.

    Also popular now: