Date: Wed, 13 Jun 2018 23:28:13 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Jeff Kletsky <freebsd@wagsky.com>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets Message-ID: <bc3337db-5d39-ccb2-f2f5-fc656d5efbdd@yandex.ru> In-Reply-To: <b3a04654-7299-0a4d-61d1-ef21c63932b0@wagsky.com> References: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com> <48e750c1-e38c-5376-a937-dcbb2d871256@yandex.ru> <b3a04654-7299-0a4d-61d1-ef21c63932b0@wagsky.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --W9zmlRhr6HsD1pP9kGTQBXqhK1hohmu8o Content-Type: multipart/mixed; boundary="zKCnThgmpuso9SJk2ZHT0tm5KgUw0pTAS"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Jeff Kletsky <freebsd@wagsky.com>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Message-ID: <bc3337db-5d39-ccb2-f2f5-fc656d5efbdd@yandex.ru> Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets References: <a00fd38d-a2d1-fcb5-f46a-03ea3fe4d686@wagsky.com> <48e750c1-e38c-5376-a937-dcbb2d871256@yandex.ru> <b3a04654-7299-0a4d-61d1-ef21c63932b0@wagsky.com> In-Reply-To: <b3a04654-7299-0a4d-61d1-ef21c63932b0@wagsky.com> --zKCnThgmpuso9SJk2ZHT0tm5KgUw0pTAS Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 13.06.2018 23:04, Jeff Kletsky wrote: >> The kernel version of libalias uses m_megapullup() function to make >> single contiguous buffer. m_megapullup() uses m_get2() function to >> allocate mbuf of appropriate size. If size of packet greater than 4k i= t >> will fail. So, if you use MTU greater than 4k or if after fragments >> reassembly you get a packet with length greater than 4k, ipfw_nat() >> function will drop this packet. >> > Thanks!! >=20 > Mystery solved... >=20 > /usr/src/sys/netinet/libalias/alias.c >=20 > #ifdef _KERNEL > /* > =C2=A0* m_megapullup() - this function is a big hack. > =C2=A0* Thankfully, it's only used in ng_nat and ipfw+nat. >=20 > suggests that the "old school" approach of natd might resolve this. I'l= l > give it a try when I'm close enough to the box to resolve it when I mak= e > a configuration error. I didn't look at the rest of libalias, but you, probably, can improve this hack to use 9k or 16k mbufs. You can replace m_get2() call in m_megapullup() with the following code: if (len <=3D MJUMPAGESIZE) mcl =3D m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR); else if (len <=3D MJUM9BYTES) mcl =3D m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES); else if (len <=3D MJUM16BYTES) mcl =3D m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES); else goto bad; --=20 WBR, Andrey V. Elsukov --zKCnThgmpuso9SJk2ZHT0tm5KgUw0pTAS-- --W9zmlRhr6HsD1pP9kGTQBXqhK1hohmu8o Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlshfl0ACgkQAcXqBBDI oXqsWgf+JCiWPm8RMV6aLLEDjEw6mqJS630ELX6QKdyoo3wAQQ7OlNylgzC/cSsD W38t7fVtK5kCQFteF0Rr6GrOBjPVJdvJYo2NeG+SqbsRaU17+xlB/Vdup+LXGKi+ jlemwOkLUUSaG36H5vPC5otUnIXua74rmrvsmhFOvrYpEnm/XX+p0Tj3ioV60s8a SmqCXGN75Wb/FRra07i3fUc5hBmsKMDHAPQwMqUuv7cgdEwDjNEJg0uQVjY0z42+ aEGbtgqdyLNrdwjDIgjH0X43mVX3tuYjo8kvvKF2WQvF1kemCLKbT+XQGftlxP9o xdFRbUscXz3oad/OQdFAlR6XNIYQ6Q== =0Y86 -----END PGP SIGNATURE----- --W9zmlRhr6HsD1pP9kGTQBXqhK1hohmu8o--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bc3337db-5d39-ccb2-f2f5-fc656d5efbdd>