From owner-freebsd-stable@FreeBSD.ORG Thu Aug 9 07:15:23 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87D47106564A for ; Thu, 9 Aug 2012 07:15:23 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id D843E8FC16 for ; Thu, 9 Aug 2012 07:15:22 +0000 (UTC) Received: from mamalacation.ee.auth.gr (athedsl-4494147.home.otenet.gr [94.71.95.75]) (authenticated bits=0) by vergina.eng.auth.gr (8.14.4/8.14.3) with ESMTP id q797FKXQ083515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 9 Aug 2012 10:15:21 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <50236381.1010502@eng.auth.gr> Date: Thu, 09 Aug 2012 10:15:13 +0300 From: George Mamalakis User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0 MIME-Version: 1.0 To: pyunyh@gmail.com References: <50224E85.2040707@eng.auth.gr> <20120809170031.GB3019@michelle.cdnetworks.com> In-Reply-To: <20120809170031.GB3019@michelle.cdnetworks.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (vergina.eng.auth.gr [192.168.18.7]); Thu, 09 Aug 2012 10:15:21 +0300 (EEST) Cc: stable@freebsd.org Subject: Re: pf nat fails on msk0 from packets deriving from a jail interface X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 07:15:23 -0000 On 08/09/12 20:00, YongHyeon PYUN wrote: > On Wed, Aug 08, 2012 at 02:33:25PM +0300, George Mamalakis wrote: >> Hi all, >> >> Suddenly I am facing a problem on a new PC, using a configuration that I >> have been using on more than 10 servers for the last few years. The only >> thing that I find that differs from my other configuratinos is the NIC >> of the PC. If not, I must be missing something very trivial. >> >> I have built a jail on this PC, following the handbook's guidelines >> (section: application of jails). The PC has one NIC, msk0, where I run >> pf on (built on my kernel; I have already tried using the module). My >> pf.conf is as simple as possible: >> >> # cat /etc/pf.conf >> >> nat on msk0 from any to any -> 10.0.3.6 >> pass quick all >> >> when I jexec inside the jail, and pf is running, I am unable to reach >> any machine except my jail (not even the host). If pf is off, the >> network works just fine (of course my router knows where to find my >> jail's subnet). >> >> What is strange is that if I tcpdump on msk0, then after a few seconds >> that I request something from within the jail, I see the packets going >> and coming on msk0 using the correct IP (the NAT IP), but it seems that >> the machine fails to route them back inside the jail. > I guess this is the same issue reported in kern/170081. > Some msk(4) controllers lack full hardware checksum offloading > capability such that pseudo checksum should be computed by upper > layer. It seems pf(4) NAT was broken for controllers that lack > pseudo checksumming. This indicates the following ethernet > controller do not work with pf(4) NAT. > sk(4), msk(4), fxp(4), hme(4) and gem(4) > > Try disabling RX checksum offloading as a work-around. > #ifconfig msk0 -rxcsum > You were absolutely right! Once I disabled RX checksum offloading -as you suggested- everything started working just fine. Since this issue has been reported already, I will not send a bug report. Thanx again! -- George Mamalakis IT and Security Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379