Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Jun 2016 16:16:18 +0300
From:      Slawa Olhovchenkov <slw@zxy.spb.ru>
To:        Kristof Provost <kp@FreeBSD.org>
Cc:        stable@freebsd.org, freebsd-net@freebsd.org
Subject:   Re: ipfw fwd to closed port
Message-ID:  <20160609131618.GU75630@zxy.spb.ru>
In-Reply-To: <F1894D5E-0951-4E6B-8BCF-CB25CD25A9A8@FreeBSD.org>
References:  <20160608230240.GA51364@zxy.spb.ru> <20160609130017.GA4071@vega.codepro.be> <20160609130601.GS75630@zxy.spb.ru> <F1894D5E-0951-4E6B-8BCF-CB25CD25A9A8@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jun 09, 2016 at 09:08:33AM -0400, Kristof Provost wrote:

> 
> 
> On 9 Jun 2016, at 9:06, Slawa Olhovchenkov wrote:
> 
> > On Thu, Jun 09, 2016 at 03:00:17PM +0200, Kristof Provost wrote:
> >
> >> On 2016-06-09 02:02:40 (+0300), Slawa Olhovchenkov <slw@zxy.spb.ru> wrote:
> >>> Forwarding by ipfw to closed local port generating RST packet with
> >>> incorrect checksun. Is this know ussuse? Need open PR?
> >>
> >> Where did you capture the packet? If you've captured the packet on the
> >> machine that generated it tcpdump may indeed claim that the checksum is
> >> wrong, because it's computed by the hardware (so after tcpdump captured
> >> it).
> >
> > On the tun0 (destination of RST packet routed to tun0).
> > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
> >         options=80000<LINKSTATE>
> >         inet 192.168.4.1 --> 192.168.4.1 netmask 0xffffff00
> >         inet6 fe80::240:63ff:fedc:ac9e%tun0 prefixlen 64 scopeid 0x9
> >         nd6 options=21<PERFORMNUD,AUTO\_LINKLOCAL>
> >         Opened by PID 1345
> >
> > tun0 don't computed checksum.
> 
> I’m not sure I understand what you’re trying to say.
> 
> In any case: either capture the packet outside the machine, or confirm
> that the checksum is wrong by watching the relevant netstat counters.

I am have machine with tun0 (see above) and ipfw rules:

04010  23880  2132855 fwd 127.0.0.1,3129 tcp from 192.168.0.0/16 to not me dst-port 80,3128,8080,8100-8105 recv tun0

# netstat -rn
192.168.4.0/24     192.168.4.1        UGS        tun0
192.168.4.1        link#9             UH         tun0

tun0 handled by coova-chilli.

Initator from network 192.168.4.0/24 (ex: 192.168.4.4) send packet to outside, 8.8.8.8 for example.
fwd on tun0 forwarded tin 127.0.0.1,3129. No listener on 127.0.0.1:3129, RST generated from 8.8.8.8:80
to 192.168.4.4:2345. This packet routed to tun0 an received by chilli.

Checksums must be correct at this point, on tun0 interface for correct handling in chilli.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160609131618.GU75630>