Date: Wed, 13 Jun 2018 22:01:03 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Jeff Kletsky <freebsd@wagsky.com>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets Message-ID: <48e750c1-e38c-5376-a937-dcbb2d871256@yandex.ru> In-Reply-To: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com> References: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Op1gBlBgWtNgb01qlw9LkD6zK3MniembP Content-Type: multipart/mixed; boundary="K7OfjEwH7U5tMcHP5vEfgZ0pIQlISHnGM"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Jeff Kletsky <freebsd@wagsky.com>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Message-ID: <48e750c1-e38c-5376-a937-dcbb2d871256@yandex.ru> Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets References: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com> In-Reply-To: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com> --K7OfjEwH7U5tMcHP5vEfgZ0pIQlISHnGM Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 13.06.2018 20:16, Jeff Kletsky wrote: > When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC > tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte= > return packet is silently dropped by the in-kernel NAT, even though it > "matches" the outbound packet from less than 100 ms prior. > Are there known causes and/or resolutions for this behavior? >=20 > Is there a way to be able to "monitor" the NAT table? >=20 > (I didn't see anything obvious in the ipfw, natd, or libalias man pages= =2E) The kernel version of libalias uses m_megapullup() function to make single contiguous buffer. m_megapullup() uses m_get2() function to allocate mbuf of appropriate size. If size of packet greater than 4k it will fail. So, if you use MTU greater than 4k or if after fragments reassembly you get a packet with length greater than 4k, ipfw_nat() function will drop this packet. --=20 WBR, Andrey V. Elsukov --K7OfjEwH7U5tMcHP5vEfgZ0pIQlISHnGM-- --Op1gBlBgWtNgb01qlw9LkD6zK3MniembP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlshae8ACgkQAcXqBBDI oXrHfwf/SOQV9IYt3CHnSosFsD7fn1F/IN9VtlPHMQuO2euyOlKcx1m3Vu9Tx5TD t73yBJ+8/Dp12l3y6RLJm0mrCU9TehothrrAbnAzFyTeLOT/QLbbcK3S/SxT/gkH nqpTGL8RkeEGUzM2eTf0gTn2Ib290+aSE60I5r266KP28VHdzdBRENmE0v+vyopZ M56HKQ315padOXYNuXyVachxQ0cYRI7WPJMy0SvQrdXdNp260DfewbBaFygsUPEO 2zBhOq1MnNi2CjpDZXXrFAGG9J5LZROROHqHa6oh1lKF0QCmTyyI7K/vqbvIAoFL MboWWv3vuxeDh86NHDLu1cZlowWK6w== =knFf -----END PGP SIGNATURE----- --Op1gBlBgWtNgb01qlw9LkD6zK3MniembP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48e750c1-e38c-5376-a937-dcbb2d871256>