From owner-freebsd-net Thu Jul 12 2:42:27 2001 Delivered-To: freebsd-net@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 623B037B401; Thu, 12 Jul 2001 02:42:13 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6C9fq783788; Thu, 12 Jul 2001 12:41:52 +0300 (EEST) (envelope-from ru) Date: Thu, 12 Jul 2001 12:41:52 +0300 From: Ruslan Ermilov To: Bohuslav Plucinsky Cc: freebsd-net@freebsd.org, freebsd-questions@freebsd.org, suutari@iki.fi Subject: Re: natd and ICMP 3.4 packets Message-ID: <20010712124152.A80584@sunbay.com> Mail-Followup-To: Bohuslav Plucinsky , freebsd-net@freebsd.org, freebsd-questions@freebsd.org, suutari@iki.fi References: <20010710110934.D1048@in.nextra.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010710110934.D1048@in.nextra.sk>; from plk@in.nextra.sk on Tue, Jul 10, 2001 at 11:09:34AM +0200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 10, 2001 at 11:09:34AM +0200, Bohuslav Plucinsky wrote: > Hi there, > > I have strange problem with natd and ICMP 3.4 (destination unreachable/ > fragmentation needed) packets. > > Situation: > > - we have FreeBSD 4.2-20001228-STABLE box with ipfw and natd configured > xl0 interface have public address 195.168.x.x > xl1 interface is connected to our intranet with private addr 10.10.1.1 > ipfw show: > 00100 0 0 allow ip from any to any via lo0 > ... > 09200 0 0 divert 8668 ip from any to any via xl0 > 09300 0 0 allow ip from any to any > > natd is running with arguments: natd -n xl0 > > - behind freebsd box is cisco router with GRE tunnel > > > 195.168.x.x > xl0 --------- xl1 10.10.1.0/24 (MTU 1500) > -------| FreeBSD |------------------------------------------------------.... > --------- | > ipfw +NAT | > | > | 10.10.1.2 > ---------- > | CISCO 1 | > ---------- > || > || > || GRE tunnel (MTU 1476) > || > || > || > ---------- > | CISCO 2 | > ---------- > | 10.10.20.0/24 ---- > ---------------------------------| PC | > ---- > 10.10.20.2 > > Problem: > > If cisco router CISCO 1 sends ICMP 3.4 packet to any server on Internet, > natd on FreeBSD box aliases data inside ICMP packet, but not IP headers > There is tcpdump on xl1 interface: > > 11:56:54.376974 10.10.1.2 > 195.168.3.210: icmp: 10.10.20.2 unreachable - need to frag (mtu 1476) > > and on xl0 interface: > > 11:56:55.216974 10.10.1.2 > 195.168.3.210: icmp: 195.168.x.x unreachable - need to frag (mtu 1476) > ^^^^^^^^^ ^^^^^^^^^^^ > Is this bug in natd or make I some mistake in configuration? > This is intentional. : RCS file: /home/ncvs/src/lib/libalias/alias.c,v : Working file: alias.c : head: 1.29 : branch: : locks: strict : access list: : keyword substitution: kv : total revisions: 41; selected revisions: 1 : description: : ---------------------------- : revision 1.23 : date: 2000/09/01 09:32:44; author: ru; state: Exp; lines: +23 -13 : Changed the way we handle outgoing ICMP error messages -- do : not alias `ip_src' unless it comes from the host an original : datagram that triggered this error message was destined for. : : PR: 20712 : Reviewed by: brian, Charles Mott : ============================================================================= I.e., the original IP datagram that caused this ICMP error message was not destined for CISCO 1. (The original datagram's header should be visible with tcpdump -vv). Please see PR 20712 for details. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message