Date: Thu, 12 Jul 2001 12:41:52 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Bohuslav Plucinsky <plk@in.nextra.sk> Cc: freebsd-net@freebsd.org, freebsd-questions@freebsd.org, suutari@iki.fi Subject: Re: natd and ICMP 3.4 packets Message-ID: <20010712124152.A80584@sunbay.com> In-Reply-To: <20010710110934.D1048@in.nextra.sk>; from plk@in.nextra.sk on Tue, Jul 10, 2001 at 11:09:34AM %2B0200 References: <20010710110934.D1048@in.nextra.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 10, 2001 at 11:09:34AM +0200, Bohuslav Plucinsky wrote: > Hi there, > > I have strange problem with natd and ICMP 3.4 (destination unreachable/ > fragmentation needed) packets. > > Situation: > > - we have FreeBSD 4.2-20001228-STABLE box with ipfw and natd configured > xl0 interface have public address 195.168.x.x > xl1 interface is connected to our intranet with private addr 10.10.1.1 > ipfw show: > 00100 0 0 allow ip from any to any via lo0 > ... > 09200 0 0 divert 8668 ip from any to any via xl0 > 09300 0 0 allow ip from any to any > > natd is running with arguments: natd -n xl0 > > - behind freebsd box is cisco router with GRE tunnel > > > 195.168.x.x > xl0 --------- xl1 10.10.1.0/24 (MTU 1500) > -------| FreeBSD |------------------------------------------------------.... > --------- | > ipfw +NAT | > | > | 10.10.1.2 > ---------- > | CISCO 1 | > ---------- > || > || > || GRE tunnel (MTU 1476) > || > || > || > ---------- > | CISCO 2 | > ---------- > | 10.10.20.0/24 ---- > ---------------------------------| PC | > ---- > 10.10.20.2 > > Problem: > > If cisco router CISCO 1 sends ICMP 3.4 packet to any server on Internet, > natd on FreeBSD box aliases data inside ICMP packet, but not IP headers > There is tcpdump on xl1 interface: > > 11:56:54.376974 10.10.1.2 > 195.168.3.210: icmp: 10.10.20.2 unreachable - need to frag (mtu 1476) > > and on xl0 interface: > > 11:56:55.216974 10.10.1.2 > 195.168.3.210: icmp: 195.168.x.x unreachable - need to frag (mtu 1476) > ^^^^^^^^^ ^^^^^^^^^^^ > Is this bug in natd or make I some mistake in configuration? > This is intentional. : RCS file: /home/ncvs/src/lib/libalias/alias.c,v : Working file: alias.c : head: 1.29 : branch: : locks: strict : access list: : keyword substitution: kv : total revisions: 41; selected revisions: 1 : description: : ---------------------------- : revision 1.23 : date: 2000/09/01 09:32:44; author: ru; state: Exp; lines: +23 -13 : Changed the way we handle outgoing ICMP error messages -- do : not alias `ip_src' unless it comes from the host an original : datagram that triggered this error message was destined for. : : PR: 20712 : Reviewed by: brian, Charles Mott <cmott@scientech.com> : ============================================================================= I.e., the original IP datagram that caused this ICMP error message was not destined for CISCO 1. (The original datagram's header should be visible with tcpdump -vv). Please see PR 20712 for details. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712124152.A80584>