From owner-freebsd-net@freebsd.org Wed Jun 13 23:44:56 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 329071002294; Wed, 13 Jun 2018 23:44:56 +0000 (UTC) (envelope-from jmk@wagsky.com) Received: from mx.allycomm.com (mx.allycomm.com [138.68.30.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CCE8182D83; Wed, 13 Jun 2018 23:44:55 +0000 (UTC) (envelope-from jmk@wagsky.com) Received: from JKLETSKY1-MBP15.local (184-23-191-241.vpn.dynamic.sonic.net [184.23.191.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.allycomm.com (Postfix) with ESMTPSA id 93E9E28666; Wed, 13 Jun 2018 16:44:53 -0700 (PDT) Subject: Re: In-kernel NAT [ipfw] dropping large UDP return packets To: "Andrey V. Elsukov" , Jeff Kletsky , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org References: <48e750c1-e38c-5376-a937-dcbb2d871256@yandex.ru> From: Jeff Kletsky Message-ID: <3b9b426e-8276-bc79-2624-60b66f04b344@wagsky.com> Date: Wed, 13 Jun 2018 16:44:53 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2018 23:44:56 -0000 On 6/13/18 1:28 PM, Andrey V. Elsukov wrote: > On 13.06.2018 23:04, Jeff Kletsky wrote: >>> The kernel version of libalias uses m_megapullup() function to make >>> single contiguous buffer. m_megapullup() uses m_get2() function to >>> allocate mbuf of appropriate size. If size of packet greater than 4k it >>> will fail. So, if you use MTU greater than 4k or if after fragments >>> reassembly you get a packet with length greater than 4k, ipfw_nat() >>> function will drop this packet. >>> >> Thanks!! >> >> Mystery solved... >> >> /usr/src/sys/netinet/libalias/alias.c >> >> #ifdef _KERNEL >> /* >>  * m_megapullup() - this function is a big hack. >>  * Thankfully, it's only used in ng_nat and ipfw+nat. >> >> suggests that the "old school" approach of natd might resolve this. I'll >> give it a try when I'm close enough to the box to resolve it when I make >> a configuration error. > I didn't look at the rest of libalias, but you, probably, can improve > this hack to use 9k or 16k mbufs. You can replace m_get2() call in > m_megapullup() with the following code: > > if (len <= MJUMPAGESIZE) > mcl = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR); > else if (len <= MJUM9BYTES) > mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES); > else if (len <= MJUM16BYTES) > mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES); > else > goto bad; > Tested and "works for me" on 11.1-RELEASE-p10 with GENERIC kernconf 8< --- alias.c.orig    2017-07-20 16:42:02.000000000 -0700 +++ alias.c    2018-06-13 15:41:46.862121000 -0700 @@ -1758,7 +1758,14 @@      if (m->m_next == NULL && M_WRITABLE(m))          return (m); -    mcl = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR); +    if (len <= MJUMPAGESIZE) +        mcl = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR); +    else if (len <= MJUM9BYTES) +        mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES); +    else if (len <= MJUM16BYTES) +        mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES); +    else +        goto bad;      if (mcl == NULL)          goto bad;      m_align(mcl, len); >8 Thanks again! Jeff