From owner-freebsd-ipfw@freebsd.org Mon Jun 18 03:29:15 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 60E6810146CA; Mon, 18 Jun 2018 03:29:15 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EF8AA6BB64; Mon, 18 Jun 2018 03:29:14 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (203-59-175-75.dyn.iinet.net.au [203.59.175.75]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w5I3T8So082945 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 17 Jun 2018 20:29:12 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets To: Michael Sierchio , "freebsd-net@freebsd.org" , "freebsd-ipfw@freebsd.org" References: <918b13e0-aef5-add2-6f5c-530bb5850a3a@wagsky.com> From: Julian Elischer Message-ID: Date: Mon, 18 Jun 2018 11:29:03 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2018 03:29:15 -0000 On 14/6/18 1:41 am, Michael Sierchio wrote: > I see you have a case of Netgraph. Perhaps Julian will chime in. well I'm reading but not got any specific ideas at the moment.. Netgraph itself has no requirements on packet size or even contents. a node may however have some. > > On Wed, Jun 13, 2018 at 10:32 AM, Jeff Kletsky wrote: > >> On 6/13/18 10:22 AM, Michael Sierchio wrote: >> >> On Wed, Jun 13, 2018 at 10:16 AM, Jeff Kletsky wrote: >>> When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel >>> >>>> to the T-Mobile provisioning servers, the reassembled, 4640-byte return >>>> packet is silently dropped by the in-kernel NAT, even though it "matches" >>>> the outbound packet from less than 100 ms prior. >>>> >>> >>> Do you have a 'reass' rule before applying nat on inbound traffic? >>> >>> - M >>> >> Yes, at the start of the rule set. >> >> Reassembly confirmed to be working by wireshark examination of the ngtee >> "taps" shown >> >> $ sudo ipfw list >> 00001 deny ip from any to any recv ng* >> 00004 ngtee 100 ip from any to any proto udp dst-port 500,4500 in >> 00004 ngtee 100 ip from any to any proto udp frag in >> 00004 ngtee 110 ip from any to any proto udp dst-port 500,4500 out >> 00004 ngtee 110 ip from any to any proto udp frag out >> 00005 reass ip from any to any >> 00006 ngtee 101 ip from any to any proto udp dst-port 500,4500 in // >> reassembled in >> 00006 ngtee 101 ip from any to any proto udp frag in // never should be >> frags after reass >> 00006 ngtee 111 ip from any to any proto udp dst-port 500,4500 out // >> reass out >> 00006 ngtee 111 ip from any to any proto udp frag out // never should be >> frage after reass >> [...] >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > >