From owner-freebsd-net@freebsd.org Sun Aug 30 17:28:25 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0491C9C60C8 for ; Sun, 30 Aug 2015 17:28:25 +0000 (UTC) (envelope-from eliezer@ngtech.co.il) Received: from mtaout24.012.net.il (mtaout24.012.net.il [80.179.55.180]) by mx1.freebsd.org (Postfix) with ESMTP id 7827A1C23 for ; Sun, 30 Aug 2015 17:28:24 +0000 (UTC) (envelope-from eliezer@ngtech.co.il) Received: from conversion-daemon.mtaout24.012.net.il by mtaout24.012.net.il (HyperSendmail v2007.08) id <0NTW00B00NQTSF00@mtaout24.012.net.il> for freebsd-net@freebsd.org; Sun, 30 Aug 2015 20:15:24 +0300 (IDT) Received: from mail.ngtech.co.il ([84.95.212.160]) by mtaout24.012.net.il (HyperSendmail v2007.08) with ESMTPSA id <0NTW00BY8NXOSK00@mtaout24.012.net.il> for freebsd-net@freebsd.org; Sun, 30 Aug 2015 20:15:24 +0300 (IDT) Received: by mail.ngtech.co.il (Postfix, from userid 5001) id 09D6F2397D; Sun, 30 Aug 2015 20:23:14 +0300 (IDT) Received: from [192.168.10.131] (unknown [192.168.10.131]) by mail.ngtech.co.il (Postfix) with ESMTPA id DE26123805 for ; Sun, 30 Aug 2015 20:23:12 +0300 (IDT) Date: Sun, 30 Aug 2015 20:23:13 +0300 From: Eliezer Croitoru Subject: Re: Issues with MASQUARDE and FreeBSD router. In-reply-to: <55DEC2BC.8030800@ngtech.co.il> X-012-Sender: eliezer-111@012.net.il To: freebsd-net@freebsd.org Message-id: <55E33C01.8040507@ngtech.co.il> MIME-version: 1.0 Content-type: text/plain; charset=windows-1252; format=flowed Content-transfer-encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.ngtech.co.il References: <55DDEA51.8010902@ngtech.co.il> <55DEC2BC.8030800@ngtech.co.il> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 X-Spam-Status: No, score=-1.0 required=3.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Level: X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Aug 2015 17:28:25 -0000 As a reference to this issue the bugzilla report at: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059#c9 The issue is that packets sums are being corrupted and there for cannot be accepted by the TCP stack of the destination machine. The issue might also effect UDP. *The issue only affects packets that are being routed throw the FreeBSD box and not regular sockets.* An exact same issue was there in OpenBSD 5.7 and on current(5.8) it got fixed. Eliezer On 27/08/2015 10:56, Eliezer Croitoru wrote: > I added a filter rule to iptables with a INVALID reject match and any > packet that is being passed throw the FreeBSD router is being marked by > itpables as INVALID. > An example for an INVALID packet: > http://ngtech.co.il/nat_issue/proxy2.pcap > > Eliezer > > On 26/08/2015 21:24, Eliezer Croitoru wrote: >> Hey lists, >> >> I had a similar issue in the past but now I have found the combination >> which results in the issue. >> My topology is between two KVM hosts. >> Server is on KVM1 ip address 192.168.10.1/24 >> Another whole network on the KVM2. >> And the traffic is: >> client 192.168.11.2/24 --> R1 - 192.168.11.254/24 >> R1 192.168.15.1/24 --> R2(NAT SERVER) 192.168.15.254/24 >> R3 eth4 NATed(masquerade) 192.168.10.179/24 --> Server 192.168.10.1/24 >> >> The Above is what is suppose to happen and the reality us that >> 192.168.10.1 receives a packet but from 192.168.11.2. >> >> I can reproduce the issue successfully replacing the R1 server from a >> linux box to a FreeBSD 10.1 box.(freebsd causes the issue) >> The routers I have used are: >> CentOS 7 >> VYOS 1.6 >> >> It is the same for both and I can reproduce the issue successfully. >> >> I have also tested the R1 replaced with: >> VYOS 1.7 >> CENTOS 7 >> DEBIAN 8 >> vSRX >> FreeBSD 4.11 with e1000 card, works fine. >> FreeBSD 10.1(amd64) with e1000 card, works fine. >> *FreeBSD 10.1(amd64) with virtio card, have an issue.* >> >> Now I am trying to figure out if it's a netfilter issue or FreeBSD >> virtio driver issue and if so what might be the direction to make this >> issue fixed. >> >> Tcpdump captures on the NAT router of different packets and sessions are >> here: >> http://ngtech.co.il/nat_issue/ >> >> If the issue is probably with the FreeBSD virtio drivers why would the >> MASQUERADE pass the packet to the destination server? >> >> Thanks, >> Eliezer >> >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"