From owner-freebsd-net@freebsd.org Wed Jun 13 19:03:58 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A35B11007B33; Wed, 13 Jun 2018 19:03:58 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward100p.mail.yandex.net (forward100p.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2029A7497A; Wed, 13 Jun 2018 19:03:57 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback15g.mail.yandex.net (mxback15g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:94]) by forward100p.mail.yandex.net (Yandex) with ESMTP id A490C5103F07; Wed, 13 Jun 2018 22:03:47 +0300 (MSK) Received: from smtp4j.mail.yandex.net (smtp4j.mail.yandex.net [2a02:6b8:0:1619::15:6]) by mxback15g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id WgdgOFwEzu-3kIWcSZU; Wed, 13 Jun 2018 22:03:46 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1528916626; bh=8tLZ5QyfkJMNZYUYwP6L8aKgoSTah4DUM2jhZkzzW3k=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=cadGSbnqJg+1GweYghau9SIeiOWi24VrYpNG/+qCCc+1LOvPTisH9wFiX90KClKeF 6WIV0x5Q2qoTluPMOnW44z73BuIpsFKLFuYH2OUiY+AQhZHFsNVpDkEFkbIDJGfR26 IhMdGxzsK9WeVKYDzFPrMp/XI9X7JSnH6Exqa39o= Received: by smtp4j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id SpR23JFOHu-3jWidHNV; Wed, 13 Jun 2018 22:03:45 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1528916625; bh=8tLZ5QyfkJMNZYUYwP6L8aKgoSTah4DUM2jhZkzzW3k=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=kxLJivG0M7weXWPL1l927ok/V/kZXgt8ERewN0qeBkpuMXSApzCjzuomWB5bAPQyD Z309JF065eVcZEXIGR/z6Efgew5feZtMRtxLeD+kLYWp5R4HkwH8Lk1vjXAYEaDuZ8 IbQTa7bCDc9+JkOw3h2v2jYNUGz0rMvRFqM6/8yE= Authentication-Results: smtp4j.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets To: Jeff Kletsky , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org References: From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <48e750c1-e38c-5376-a937-dcbb2d871256@yandex.ru> Date: Wed, 13 Jun 2018 22:01:03 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Op1gBlBgWtNgb01qlw9LkD6zK3MniembP" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2018 19:03:58 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Op1gBlBgWtNgb01qlw9LkD6zK3MniembP Content-Type: multipart/mixed; boundary="K7OfjEwH7U5tMcHP5vEfgZ0pIQlISHnGM"; protected-headers="v1" From: "Andrey V. Elsukov" To: Jeff Kletsky , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Message-ID: <48e750c1-e38c-5376-a937-dcbb2d871256@yandex.ru> Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets References: In-Reply-To: --K7OfjEwH7U5tMcHP5vEfgZ0pIQlISHnGM Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 13.06.2018 20:16, Jeff Kletsky wrote: > When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC > tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte= > return packet is silently dropped by the in-kernel NAT, even though it > "matches" the outbound packet from less than 100 ms prior. > Are there known causes and/or resolutions for this behavior? >=20 > Is there a way to be able to "monitor" the NAT table? >=20 > (I didn't see anything obvious in the ipfw, natd, or libalias man pages= =2E) The kernel version of libalias uses m_megapullup() function to make single contiguous buffer. m_megapullup() uses m_get2() function to allocate mbuf of appropriate size. If size of packet greater than 4k it will fail. So, if you use MTU greater than 4k or if after fragments reassembly you get a packet with length greater than 4k, ipfw_nat() function will drop this packet. --=20 WBR, Andrey V. Elsukov --K7OfjEwH7U5tMcHP5vEfgZ0pIQlISHnGM-- --Op1gBlBgWtNgb01qlw9LkD6zK3MniembP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlshae8ACgkQAcXqBBDI oXrHfwf/SOQV9IYt3CHnSosFsD7fn1F/IN9VtlPHMQuO2euyOlKcx1m3Vu9Tx5TD t73yBJ+8/Dp12l3y6RLJm0mrCU9TehothrrAbnAzFyTeLOT/QLbbcK3S/SxT/gkH nqpTGL8RkeEGUzM2eTf0gTn2Ib290+aSE60I5r266KP28VHdzdBRENmE0v+vyopZ M56HKQ315padOXYNuXyVachxQ0cYRI7WPJMy0SvQrdXdNp260DfewbBaFygsUPEO 2zBhOq1MnNi2CjpDZXXrFAGG9J5LZROROHqHa6oh1lKF0QCmTyyI7K/vqbvIAoFL MboWWv3vuxeDh86NHDLu1cZlowWK6w== =knFf -----END PGP SIGNATURE----- --Op1gBlBgWtNgb01qlw9LkD6zK3MniembP--