freebsd stable - May 2017 - something is not working: ipfw fwd VIA nat TO tun on FreeBSD-11 stable r318266

Hello.
After upgrade from 10.3 stable something broke.

I have tun0
tun0: flags=8151<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.10.0.6 --> 10.10.0.5  netmask 0xffffffff
        groups: tun
        Opened by PID 1111

in pf.conf I have rule
nat on tun0 inet from 192.168.10.0/24 to any -> 10.10.0.6

ipfw forwarding rule:
ipfw 1500 fwd 10.10.0.5 ip from 192.168.10.0/24 to any via em0

ipfw sh counts
01500     1609      102098 fwd 10.10.0.5 ip from 192.168.10.0/24 to any via
em0

So packets from network 192.168.10.0/24 forward to tun0 and I see it there
BUT
Why I see they not mapped?!:

# tcpdump -ni tun0
23:02:15.207682 IP 192.168.10.2 > 8.8.8.8: ICMP echo request, id 1, seq
2253, length 40
On another side of tun0 there is no packets.

If I ping 10.10.0.1 then I see right packets on both sided of tun0 (so tun0
is up and working)
23:03:15.989577 IP 10.10.0.6 > 10.10.0.1: ICMP echo request, id 25095, seq
0, length 64
23:03:15.992260 IP 10.10.0.1 > 10.10.0.6: ICMP echo reply, id 25095, seq 0,
length 64

Why pf doesnt map packets which are forwarded via ipfw?

BTW
I'd try
ipnat.rules
map tun0 from 192.168.10.0/24 to any -> 10.10.0.6/32

but ipnat doesnt map forwarded packets too. Why?

How to fix it?!

I downgraded via makeworld&etc from /usr/src to 10.3-STABLE r318297
And now ipnat.rules is working and mapping forwarded packets.
Maybe I forgot that pf nat didnt map forwarded packets on 10 version. I
install this system some time ago. And dont remember which config is apply
(ipnat.rules or pf.conf)

By now I see that ipnat.rules is mapping forwarded packets on 10.3-STABLE
and doesnt map they on version FreeBSD-11 stable r318266.
So. Something in ipnat mechanism is broken in FreeBSD-11 stable r318266.


2017-05-15 23:28 GMT+03:00 Eugene Kazarinov <kamuzon at milshop.ru>:
> Hello.
> After upgrade from 10.3 stable something broke.
>
> I have tun0
> tun0: flags=8151<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
>         options=80000<LINKSTATE>
>         inet 10.10.0.6 --> 10.10.0.5  netmask 0xffffffff
>         groups: tun
>         Opened by PID 1111
>
> in pf.conf I have rule
> nat on tun0 inet from 192.168.10.0/24 to any -> 10.10.0.6
>
> ipfw forwarding rule:
> ipfw 1500 fwd 10.10.0.5 ip from 192.168.10.0/24 to any via em0
>
> ipfw sh counts
> 01500     1609      102098 fwd 10.10.0.5 ip from 192.168.10.0/24 to any
> via em0
>
> So packets from network 192.168.10.0/24 forward to tun0 and I see it
> there BUT
> Why I see they not mapped?!:
>
> # tcpdump -ni tun0
> 23:02:15.207682 IP 192.168.10.2 > 8.8.8.8: ICMP echo request, id 1, seq
> 2253, length 40
> On another side of tun0 there is no packets.
>
> If I ping 10.10.0.1 then I see right packets on both sided of tun0 (so
> tun0 is up and working)
> 23:03:15.989577 IP 10.10.0.6 > 10.10.0.1: ICMP echo request, id 25095,
> seq 0, length 64
> 23:03:15.992260 IP 10.10.0.1 > 10.10.0.6: ICMP echo reply, id 25095, seq
> 0, length 64
>
> Why pf doesnt map packets which are forwarded via ipfw?
>
> BTW
> I'd try
> ipnat.rules
> map tun0 from 192.168.10.0/24 to any -> 10.10.0.6/32
>
> but ipnat doesnt map forwarded packets too. Why?
>
> How to fix it?!
>
>