From owner-freebsd-stable@freebsd.org Thu Apr 7 23:16:43 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61BD4B07C4A for ; Thu, 7 Apr 2016 23:16:43 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 48D8515E8 for ; Thu, 7 Apr 2016 23:16:43 +0000 (UTC) (envelope-from joe@truespeed.com) Received: by mailman.ysv.freebsd.org (Postfix) id 448FFB07C40; Thu, 7 Apr 2016 23:16:43 +0000 (UTC) Delivered-To: stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44347B07C3C for ; Thu, 7 Apr 2016 23:16:43 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from mail.karthauser.co.uk (babel.karthauser.co.uk [212.13.197.151]) by mx1.freebsd.org (Postfix) with ESMTP id 1300015E7 for ; Thu, 7 Apr 2016 23:16:43 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from dspam (babel.karthauser.co.uk [212.13.197.151]) by mail.karthauser.co.uk (Postfix) with SMTP id 4625191B for ; Thu, 7 Apr 2016 23:16:42 +0000 (UTC) Received: from unnamed-72.karthauser.co.uk (unnamed-72.karthauser.co.uk [90.155.77.72]) (Authenticated sender: joemail@tao.org.uk) by mail.karthauser.co.uk (Postfix) with ESMTPSA id 617A4917; Thu, 7 Apr 2016 23:16:20 +0000 (UTC) Subject: Re: IPFW with NAT : Problems with duplicate packets on FreeBSD 10.3-RC3 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: Dr Josef Karthauser In-Reply-To: <72D86268-D082-4BB2-A951-69B62C3C4A9B@truespeed.com> Date: Fri, 8 Apr 2016 00:16:19 +0100 Cc: freebsd-net@freebsd.org Message-Id: <1A31553F-867A-4367-858A-E62FD2F19CED@truespeed.com> References: <72D86268-D082-4BB2-A951-69B62C3C4A9B@truespeed.com> To: FreeBSD Stable X-Mailer: Apple Mail (2.2104) X-DSPAM-Result: Innocent X-DSPAM-Processed: Thu Apr 7 23:16:41 2016 X-DSPAM-Confidence: 1.0000 X-DSPAM-Probability: 0.0023 X-DSPAM-Signature: 5706ea5931279138763293 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2016 23:16:43 -0000 > On 8 Apr 2016, at 00:11, Dr Josef Karthauser = wrote: >=20 >> On 7 Apr 2016, at 17:08, Dr Josef Karthauser > wrote: >>=20 >> Looks like the first packet is being retransmitted, which means that = the nat is probably misconfigured and the TCP connection is broken in = some strange way. >>=20 >> Does anyone have a clue as to where to look? The ipfw rules are = simple enough - what have I missed? >=20 > Ok, the packet definitely isn=E2=80=99t being retransmitted. I=E2=80=99v= e done a tcpdump/pcap capture and taken a look and I get a packet that = I=E2=80=99ve included below. >=20 > It=E2=80=99s got a 'HTTP/1.1 200 OK=E2=80=99 inserted mid-flow right = in the middle of an HTTP response. Looking at this I=E2=80=99d be = inclined to think it=E2=80=99s a bug in the webserver/tomcat, however, = what=E2=80=99s strange is that if I =E2=80=98curl' the jailed web server = directly from the host machine on the private IP address (bypassing the = NAT), the HTTP response received is perfectly fine. It=E2=80=99s only = when I do an HTTP request to the public IP address and go through the = NAT that I experience the problem. >=20 > How could this happen? Is it a buggy packet reassembly in the kernel = perhaps? >=20 Adding: "ipfw add reass all from any to any=E2=80=9D to the beginning of = the ipfw rule set doesn=E2=80=99t make any difference to the behaviour.=20= Joe