Date: Mon, 17 Mar 2008 12:10:02 GMT From: "Alexander Zagrebin" <alexz@visp.ru> To: freebsd-ipfw@FreeBSD.org Subject: RE: kern/121743: ipfw in-kernel nat loses fragmented packets Message-ID: <200803171210.m2HCA2YZ062880@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/121743; it has been noted by GNATS.
From: "Alexander Zagrebin" <alexz@visp.ru>
To: <vadim_nuclight@mail.ru>
Cc: <bug-followup@freebsd.org>
Subject: RE: kern/121743: ipfw in-kernel nat loses fragmented packets
Date: Mon, 17 Mar 2008 14:32:23 +0300
> On Sat, 15 Mar 2008 18:47:03 GMT; Alexander Zagrebin
> <alexz@visp.ru> wrote:
>
> >>Fix:
> > --- sys/netinet/ip_fw2.c.orig 2008-02-28 11:28:09.000000000 +0300
> > +++ sys/netinet/ip_fw2.c 2008-03-15 18:41:52.000000000 +0300
> > @@ -3568,7 +3568,8 @@
> > else
> > retval =
> LibAliasOut(t->lib, c,
> > MCLBYTES);
> > - if (retval != PKT_ALIAS_OK) {
> > + if (retval != PKT_ALIAS_OK &&
> > + retval !=
> PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
> > /* XXX - should i
> add some logging? */
> > m_free(mcl);
> > badnat:
>
> This is not so simple to fix as LibAlias API requires caller
> to save packet
> fragments somewhere and then at some time to feed them all
> back. And kernel
> infrastructure currently is not so suitable for that packet storage.
/sbin/natd doesn't use this method too. But it is in source tree and works.
This patch will work at most cases.
It is better to work with a bad patch, than to not work absolutely.
> As a workaround you can currently send packets with some ipfw
> rule before NAT
> to a divert socket on wich ng_ksocket listens and returns
> packets back with
> ng_echo (thus packets won't leave kernel), as divert sockets do packet
> reassembly.
So ng_ksocket has kernel memory for fragmented packet's buffer, but libalias
not? :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803171210.m2HCA2YZ062880>