Date: Mon, 17 Mar 2008 09:30:04 GMT From: Vadim Goncharov <vadim_nuclight@mail.ru> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/121743: ipfw in-kernel nat loses fragmented packets Message-ID: <200803170930.m2H9U49r047045@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/121743; it has been noted by GNATS.
From: Vadim Goncharov <vadim_nuclight@mail.ru>
To: Alexander Zagrebin <alexz@visp.ru>
Cc: bug-followup@freebsd.org
Subject: Re: kern/121743: ipfw in-kernel nat loses fragmented packets
Date: Mon, 17 Mar 2008 15:19:38 +0600
Hi Alexander Zagrebin!
On Sat, 15 Mar 2008 18:47:03 GMT; Alexander Zagrebin <alexz@visp.ru> wrote:
>>Fix:
> --- sys/netinet/ip_fw2.c.orig 2008-02-28 11:28:09.000000000 +0300
> +++ sys/netinet/ip_fw2.c 2008-03-15 18:41:52.000000000 +0300
> @@ -3568,7 +3568,8 @@
> else
> retval = LibAliasOut(t->lib, c,
> MCLBYTES);
> - if (retval != PKT_ALIAS_OK) {
> + if (retval != PKT_ALIAS_OK &&
> + retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
> /* XXX - should i add some logging? */
> m_free(mcl);
> badnat:
This is not so simple to fix as LibAlias API requires caller to save packet
fragments somewhere and then at some time to feed them all back. And kernel
infrastructure currently is not so suitable for that packet storage.
As a workaround you can currently send packets with some ipfw rule before NAT
to a divert socket on wich ng_ksocket listens and returns packets back with
ng_echo (thus packets won't leave kernel), as divert sockets do packet
reassembly.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803170930.m2H9U49r047045>