Date: Fri, 22 Dec 2006 10:17:52 +0200 From: Rostislav Krasny <rosti.bsd@gmail.com> To: freebsd-pf@freebsd.org Subject: Long ICMP echo through NAT Message-ID: <20061222101752.b068b95c.rosti.bsd@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi there, I've found following problem which looks like a PF bug. My router is an i386 box, running FreeBSD 6.2-PRERELEASE. I update it to the latest RELENG_6 about once in a week. It's doing NAT by following PF rule: nat on $ext_if from $int_if:network to any -> ($ext_if) Accidentally I've found following problem: This is on the router ====================================================================== mercury# ping -Ds 1472 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1472 data bytes 1480 bytes from 204.152.191.5: icmp_seq=0 ttl=52 time=360.800 ms 1480 bytes from 204.152.191.5: icmp_seq=1 ttl=52 time=359.268 ms 1480 bytes from 204.152.191.5: icmp_seq=2 ttl=52 time=357.721 ms --- 204.152.191.5 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 357.721/359.263/360.800/1.257 ms ====================================================================== And this is on other computer in my LAN ====================================================================== saturn# ping -Ds 1472 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1472 data bytes --- 204.152.191.5 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss saturn# ping -Ds 1465 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1465 data bytes --- 204.152.191.5 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss saturn# ping -Ds 1464 -c 3 204.152.191.5 PING 204.152.191.5 (204.152.191.5): 1464 data bytes 1472 bytes from 204.152.191.5: icmp_seq=0 ttl=51 time=362.138 ms 1472 bytes from 204.152.191.5: icmp_seq=1 ttl=51 time=360.834 ms 1472 bytes from 204.152.191.5: icmp_seq=2 ttl=51 time=358.460 ms --- 204.152.191.5 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 358.460/360.477/362.138/1.523 ms ====================================================================== Running tcpdump on the router shows that echo requests and echo replies are always sent and received on the $ext_if but not always sent back from the the $int_if. 1472 - 1464 = 8 which is the ICMP echo header size. If on the other computer on my LAN I run ping without -D I see the same problem. The $ext_if and the $int_if are of the same hardware type: xl0: <3Com 3c905C-TX Fast Etherlink XL> port 0x1080-0x10ff mem 0xf4008000-0xf400807f irq 11 at device 13.0 on pci0 miibus0: <MII bus> on xl0 xlphy0: <3c905C 10/100 internal PHY> on miibus0 xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto xl0: Ethernet address: 00:01:02:ae:e7:fb xl1: <3Com 3c905C-TX Fast Etherlink XL> port 0x1400-0x147f mem 0xf4008400-0xf400847f irq 10 at device 15.0 on pci0 miibus1: <MII bus> on xl1 xlphy1: <3c905C 10/100 internal PHY> on miibus1 xlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061222101752.b068b95c.rosti.bsd>