Date: Wed, 13 Jun 2018 22:21:59 +0000 From: bugzilla-noreply@freebsd.org To: doc@FreeBSD.org Subject: [Bug 229003] [ipfw][ng_ipfw] In-kernel NAT Has "Undocumented" 4k Packet-size Limit Message-ID: <bug-229003-9@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229003 Bug ID: 229003 Summary: [ipfw][ng_ipfw] In-kernel NAT Has "Undocumented" 4k Packet-size Limit Product: Documentation Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Documentation Assignee: doc@FreeBSD.org Reporter: jeff+freebsd@wagsky.com After much debugging, it was found that large packets (over 4k) were silent= ly dropped by the in-kernel NAT used by ipfw and ng_ipfw. This is not document= ed on the man page for ipfw or ng_ipfw Suggested resolution: * Update the two man pages to document the limitation * Suggest on those man pages that, if large packets are potentially to be NAT-ed, reassembled or from "jumbo frames", natd be used rather than in-ker= nel NAT As revealed by Andrey V. Elsukov on freebsd-net and freebsd-ipfw on 2018-06= -13: "The kernel version of libalias uses m_megapullup() function to make single contiguous buffer. m_megapullup() uses m_get2() function to allocate mbuf of appropriate size. If size of packet greater than 4k it will fail. So, if you use MTU greater than 4k or if after fragments reassembly you get a packet with length greater than 4k, ipfw_nat() function will drop this packet." Examining the code in /usr/src/sys/netinet/libalias/alias.c #ifdef _KERNEL /* * m_megapullup() - this function is a big hack. * Thankfully, it's only used in ng_nat and ipfw+nat. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229003-9>