From owner-freebsd-net@freebsd.org Thu Apr 7 16:17:14 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BECA3B07411 for ; Thu, 7 Apr 2016 16:17:14 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from mail.karthauser.co.uk (babel.karthauser.co.uk [212.13.197.151]) by mx1.freebsd.org (Postfix) with ESMTP id 5818619B0 for ; Thu, 7 Apr 2016 16:17:13 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from dspam (babel.karthauser.co.uk [212.13.197.151]) by mail.karthauser.co.uk (Postfix) with SMTP id 4D973DEE for ; Thu, 7 Apr 2016 16:09:11 +0000 (UTC) Received: from phoenix.domain_not_set.invalid (unknown [31.210.26.211]) (Authenticated sender: joemail@tao.org.uk) by mail.karthauser.co.uk (Postfix) with ESMTPSA id 13FDDDE7; Thu, 7 Apr 2016 16:08:38 +0000 (UTC) From: Dr Josef Karthauser Message-Id: Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Date: Thu, 7 Apr 2016 17:08:38 +0100 Subject: IPFW with NAT : Problems with duplicate packets on FreeBSD 10.3-RC3 Cc: freebsd-net@freebsd.org To: FreeBSD Stable X-Mailer: Apple Mail (2.2104) X-DSPAM-Result: Innocent X-DSPAM-Processed: Thu Apr 7 16:09:10 2016 X-DSPAM-Confidence: 1.0000 X-DSPAM-Probability: 0.0023 X-DSPAM-Signature: 5706862531277955018916 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2016 16:17:14 -0000 I=E2=80=99m scratching my head with an IPFW / NAT configuration; could = someone please throw me a bone? I=E2=80=99ve got a jail, and I=E2=80=99m NATing using IPFW to connect it = to the outside world. In particular I=E2=80=99m forwarding port 8080 from the host=E2=80=99s = public address to the jail=E2=80=99s private address. When I pull an HTTP connection from port publicip:8080 I get the first = packet of the TCP stream twice, and then the HTTP connection fails. That ought not to happen :(. The firewall rule is very simple nat 1 config if vlan10 reset redirect_port tcp 10.17.0.16:8080 8080 // = NAT for jails - forward to portal on 8080 nat 1 ip from any to any via vlan10 in nat 1 ip from any to any via vlan10 out add allow ip from any to any If I tcpdump on the host: # tcpdump -i vlan10 port 8080 tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on vlan10, link-type EN10MB (Ethernet), capture size 65535 = bytes 17:02:02.478760 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [S], seq = 3088565770, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val = 672977930 ecr 0,sackOK,eol], length 0 17:02:02.478797 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [S.], seq = 425576427, ack 3088565771, win 65535, options [mss 1460,nop,wscale = 6,sackOK,TS val 1035319863 ecr 672977930], length 0 17:02:02.480137 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [.], ack 1, = win 4117, options [nop,nop,TS val 672977931 ecr 1035319863], length 0 17:02:02.480393 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [P.], seq = 1:86, ack 1, win 4117, options [nop,nop,TS val 672977931 ecr = 1035319863], length 85 17:02:02.714225 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [P.], seq = 1:86, ack 1, win 4117, options [nop,nop,TS val 672978161 ecr = 1035319863], length 85 17:02:02.975220 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [P.], seq = 1:86, ack 1, win 4117, options [nop,nop,TS val 672978421 ecr = 1035319863], length 85 17:02:02.975239 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [.], seq = 1:1449, ack 86, win 1040, options [nop,nop,TS val 1035320360 ecr = 672977931], length 1448 17:02:03.079324 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [.], ack = 1449, win 4096, options [nop,nop,TS val 672978522 ecr 1035320360], = length 0 17:02:03.079336 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [.], seq = 1449:4345, ack 86, win 1040, options [nop,nop,TS val 1035320464 ecr = 672978522], length 2896 17:02:03.080931 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [.], ack = 4345, win 4050, options [nop,nop,TS val 672978523 ecr 1035320464], = length 0 17:02:03.578732 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [.], seq = 4345:5793, ack 86, win 1040, options [nop,nop,TS val 1035320963 ecr = 672978523], length 1448 17:02:03.725858 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [.], ack = 5793, win 4096, options [nop,nop,TS val 672979158 ecr 1035320963], = length 0 17:02:03.725888 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [.], seq = 5793:8689, ack 86, win 1040, options [nop,nop,TS val 1035321110 ecr = 672979158], length 2896 17:02:03.727352 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [.], ack = 8689, win 4050, options [nop,nop,TS val 672979159 ecr 1035321110], = length 0 17:02:04.260416 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [.], seq = 8689:10137, ack 86, win 1040, options [nop,nop,TS val 1035321645 ecr = 672979159], length 1448 17:02:04.340844 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [.], ack = 10137, win 4096, options [nop,nop,TS val 672979770 ecr 1035321645], = length 0 17:02:04.340855 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [.], seq = 10137:13033, ack 86, win 1040, options [nop,nop,TS val 1035321725 ecr = 672979770], length 2896 17:02:04.342775 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [F.], seq 86, = ack 11585, win 4096, options [nop,nop,TS val 672979771 ecr 1035321725], = length 0 17:02:04.342803 IP X.X.X.216.8080 > X.X.X.211.63289: Flags [.], seq = 13033:15929, ack 87, win 1040, options [nop,nop,TS val 1035321727 ecr = 672979771], length 2896 17:02:04.343154 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [R], seq = 3088565856, win 0, length 0 17:02:04.344440 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [R], seq = 3088565857, win 0, length 0 17:02:04.344740 IP X.X.X.211.63289 > X.X.X.216.8080: Flags [R], seq = 3088565857, win 0, length 0 And the client doing the http request gets: phoenix:~ joe$ curl -v http://X.X.X.216:8080/ * Trying 31.210.26.216... * Connected to X.X.X.216 port 8080 (#0) > GET / HTTP/1.1 > Host: x.x.com:8080 > User-Agent: curl/7.43.0 > Accept: */* >=20 < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Content-Type: text/html;charset=3DISO-8859-1 < Transfer-Encoding: chunked < Date: Thu, 07 Apr 2016 16:02:02 GMT <=20 Apache Tomcat/7.0.68
Home Documentation Configuration Examples Wiki [CUT]

Other Documentation

  • Tomcat = Connectors
  • mod_jk = Documentation
    • HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=3DISO-8859-1 Transfer-Encoding: chunked Date: Thu, 07 Apr 2016 16:02:02 GMT 2000 Apache Tomcat/7.0.68
    [CUT]
    Server Status * Malformed encoding found in chunked-encoding * Closing connection 0 curl: (56) Malformed encoding found in chunked-encoding phoenix:~ joe$=20 Looks like the first packet is being retransmitted, which means that the = nat is probably misconfigured and the TCP connection is broken in some = strange way. Does anyone have a clue as to where to look? The ipfw rules are simple = enough - what have I missed? Thanks, Joe p.s. I also have one_pass disabled: # sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 0 =20 =E2=80=94=20 Dr Josef Karthauser Chief Technical Officer (01225) 300371 / (07703) 596893 www.truespeed.com / theTRUESPEED =20 @theTRUESPEED =20 This email contains TrueSpeed information, which may be privileged or = confidential. It's meant only for the individual(s) or entity named = above. If you're not the intended recipient, note that disclosing, = copying, distributing or using this information is prohibited. If you've = received this email in error, please let me know immediately on the = email address above. Thank you. We monitor our email system, and may record your emails.