From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 17 12:30:04 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BFA1106566B for ; Mon, 17 Mar 2008 12:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3919C8FC19 for ; Mon, 17 Mar 2008 12:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2HCU35F065043 for ; Mon, 17 Mar 2008 12:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2HCU3ST065036; Mon, 17 Mar 2008 12:30:03 GMT (envelope-from gnats) Date: Mon, 17 Mar 2008 12:30:03 GMT Message-Id: <200803171230.m2HCU3ST065036@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Vadim Goncharov Cc: Subject: Re: kern/121743: ipfw in-kernel nat loses fragmented packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vadim Goncharov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 12:30:04 -0000 The following reply was made to PR kern/121743; it has been noted by GNATS. From: Vadim Goncharov To: Alexander Zagrebin Cc: bug-followup@freebsd.org Subject: Re: kern/121743: ipfw in-kernel nat loses fragmented packets Date: Mon, 17 Mar 2008 18:23:02 +0600 Hi Alexander Zagrebin! On Mon, 17 Mar 2008 12:10:02 GMT; Alexander Zagrebin wrote: >>> --- sys/netinet/ip_fw2.c.orig 2008-02-28 11:28:09.000000000 +0300 >>> +++ sys/netinet/ip_fw2.c 2008-03-15 18:41:52.000000000 +0300 >>> @@ -3568,7 +3568,8 @@ >>> else >>> retval = >> LibAliasOut(t->lib, c, >>> MCLBYTES); >>> - if (retval != PKT_ALIAS_OK) { >>> + if (retval != PKT_ALIAS_OK && >>> + retval != >> PKT_ALIAS_FOUND_HEADER_FRAGMENT) { >>> /* XXX - should i >> add some logging? */ >>> m_free(mcl); >>> badnat: >> >> This is not so simple to fix as LibAlias API requires caller >> to save packet >> fragments somewhere and then at some time to feed them all >> back. And kernel >> infrastructure currently is not so suitable for that packet storage. > /sbin/natd doesn't use this method too. But it is in source tree and works. natd(8) relies on a divert(4) socket on doing reassembly, again in kernel - and ppp(8) actually use this method. > This patch will work at most cases. > It is better to work with a bad patch, than to not work absolutely. No, that's not FreeBSD way. Especially when you have workaround available. >> As a workaround you can currently send packets with some ipfw >> rule before NAT >> to a divert socket on wich ng_ksocket listens and returns >> packets back with >> ng_echo (thus packets won't leave kernel), as divert sockets do packet >> reassembly. > So ng_ksocket has kernel memory for fragmented packet's buffer, but libalias > not? :) Yes, because libalias(3) was developed more than 10 years for ppp(8), and was never ment to be ported to the kernel (it still has many-many quirks). Kernel sockets, and divert(4) as well, all use finite reassembly space for packets destined to this machine. This is not a problem with natd(8) as it is not so fast, but for more intensive solutions with in-kernel libalias a better solution should be found. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]