Date: Fri, 9 Dec 2016 21:23:01 -0600 From: Karl Denninger <karl@denninger.net> To: freebsd-ipfw@freebsd.org Subject: Re: IPFW problem with passing IPSEC through in-kernel NAT Message-ID: <d3bfafc7-c4ad-7984-546b-6b95f8d6d577@denninger.net> In-Reply-To: <01fbc965-f5bc-0f62-eb89-02e097e03cf7@denninger.net> References: <099203a1-f601-bb79-548d-27c62fcbf556@denninger.net> <005b34c8-2217-fa06-5584-6999022481a3@denninger.net> <156E272C-0EFA-4A15-8544-C580AAEB6033@obsigna.com> <01fbc965-f5bc-0f62-eb89-02e097e03cf7@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms090906050805080905000008 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 12/9/2016 07:16, Karl Denninger wrote: > On 12/9/2016 06:18, Dr. Rolf Jansen wrote: >>> Am 09.12.2016 um 02:11 schrieb Karl Denninger <karl@denninger.net>: >>> ... >>> Some more information on this issue.... I suspect that something is >>> getting mangled somewhere in the IP stack, perhaps related to hardwar= e >>> checksumming or similar -- or in the ipfw code. >> I had always ran into IPsec-NAT-UDP checksumming issues since I starte= d working with FreeBSD, that tim v8.0. With a rather simple change in the= respective kernel source file at least my issue can be resolved. This ma= y be related to your issue or even not, anyway, I guess it is worth to gi= ve it a try. >> >> I am now running FreeBSD 11-RELEASE-p5. On line 462 of file /usr/src/s= ys/netinet/udp_usrreq.c, I replaced: >> >> if (uh->uh_sum) { >> >> with: >> >> if (uh->uh_sum && >> uh->uh_dport !=3D htons(1701) && >> uh->uh_dport !=3D htons(4500)) { >> >> This effectively skips extended UDP checksumming for certain UDP ports= -- here the L2TP and IPsec-NAT-T ports. When I investigated the issue, I= found in one related RFC, that IPsec-NAT-T isn't supposed to do UDP chec= ksumming on the encapsulated packets anyway, and my patch enforces this b= ehaviour. >> >> Best regards >> >> Rolf >> > In this case is that I never get to the use of port 4500 (there are no > packets emitted on that port that I can find); the initial key exchange= > on port 500 is failing, and in-kernel NAT appears to be involved in som= e > fashion because I'm getting inside addresses that are (in some cases) > not being NATted at all despite the fact that as far as I can tell they= > *should* be. > > I'm going to spend some time refactoring the IPFW rule set to > compartmentalize the various paths through it more-fully. Perhaps that= > will shed some more light on the problem, or at least make > more-reasonable an attempt to trace it. > I have completely re-factored the IPFW rule set that I am using here (it was formerly built on top of the "Simple" config in /etc/rc.firewall) to be completely stand-alone and the problem has disappeared. Bottom line -- this appears to have been some sort of problem with the rule set rather than ipfw itself. --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms090906050805080905000008 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Bl8wggZbMIIEQ6ADAgECAgEpMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE1MDQyMTAyMjE1OVoXDTIwMDQxOTAyMjE1OVowWjEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHjAcBgNVBAMTFUthcmwgRGVubmluZ2VyIChPQ1NQKTCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBALmEWPhAdphrWd4K5VTvE5pxL3blRQPyGF3ApjUjgtavqU1Y8pbI3Byg XDj2/Uz9Si8XVj/kNbKEjkRh5SsNvx3Fc0oQ1uVjyCq7zC/kctF7yLzQbvWnU4grAPZ3IuAp 3/fFxIVaXpxEdKmyZAVDhk9az+IgHH43rdJRIMzxJ5vqQMb+n2EjadVqiGPbtG9aZEImlq7f IYDTnKyToi23PAnkPwwT+q1IkI2DTvf2jzWrhLR5DTX0fUYC0nxlHWbjgpiapyJWtR7K2YQO aevQb/3vN9gSojT2h+cBem7QIj6U69rEYcEDvPyCMXEV9VcXdcmW42LSRsPvZcBHFkWAJqMZ Myiz4kumaP+s+cIDaXitR/szoqDKGSHM4CPAZV9Yh8asvxQL5uDxz5wvLPgS5yS8K/o7zDR5 vNkMCyfYQuR6PAJxVOk5Arqvj9lfP3JSVapwbr01CoWDBkpuJlKfpQIEeC/pcCBKknllbMYq yHBO2TipLyO5Ocd1nhN/nOsO+C+j31lQHfOMRZaPQykXVPWG5BbhWT7ttX4vy5hOW6yJgeT/ o3apynlp1cEavkQRS8uJHoQszF6KIrQMID/JfySWvVQ4ksnfzwB2lRomrdrwnQ4eG/HBS+0l eozwOJNDIBlAP+hLe8A5oWZgooIIK/SulUAsfI6Sgd8dTZTTYmlhAgMBAAGjgfQwgfEwNwYI KwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgw CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIB DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxRyULenJaFwX RtT79aNmIB/u5VkwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYw FIESa2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBPf3cYtmKowmGIYsm6 eBinJu7QVWvxi1vqnBz3KE+HapqoIZS8/PolB/hwiY0UAE1RsjBJ7yEjihVRwummSBvkoOyf G30uPn4yg4vbJkR9lTz8d21fPshWETa6DBh2jx2Qf13LZpr3Pj2fTtlu6xMYKzg7cSDgd2bO sJGH/rcvva9Spkx5Vfq0RyOrYph9boshRN3D4tbWgBAcX9POdXCVfJONDxhfBuPHsJ6vEmPb An+XL5Yl26XYFPiODQ+Qbk44Ot1kt9s7oS3dVUrh92Qv0G3J3DF+Vt6C15nED+f+bk4gScu+ JHT7RjEmfa18GT8DcT//D1zEke1Ymhb41JH+GyZchDRWtjxsS5OBFMzrju7d264zJUFtX7iJ 3xvpKN7VcZKNtB6dLShj3v/XDsQVQWXmR/1YKWZ93C3LpRs2Y5nYdn6gEOpL/WfQFThtfnat HNc7fNs5vjotaYpBl5H8+VCautKbGOs219uQbhGZLYTv6okuKcY8W+4EJEtK0xB08vqr9Jd0 FS9MGjQE++GWo+5eQxFt6nUENHbVYnsr6bYPQsZH0CRNycgTG9MwY/UIXOf4W034UpR82TBG 1LiMsYfb8ahQJhs3wdf1nzipIjRwoZKT1vGXh/cj3gwSr64GfenURBxaFZA5O1acOZUjPrRT n3ci4McYW/0WVVA3lDGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH RmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExD MRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5 c3RlbXMgTExDIENBAgEpMA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEyMTAwMzIzMDFaME8GCSqGSIb3DQEJBDFCBEDI 1bOF8mB0n7DNPZyg5ujC8xWVTch0GfMWpUzQ/C1gsgFFDQicXtaR/w9VW2Qkb1qJu43Bmz5g GpRC4jEtCjjfMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAK BggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1z IExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3Vk YSBTeXN0ZW1zIExMQyBDQQIBKTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYT AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1 ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG 9w0BCQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECASkwDQYJKoZIhvcNAQEBBQAEggIAAX1uLFpi 2scUfsKL9d3xcwtmbeKb2Nsb4PIKR9tm9HnmvqPG1oZvGkxKXvySqBnMvKxpPJo1oY0Nd7uS s6Gw6GXV57Eczh7TH/GhE1KE85UEugwN7QWXL4bwyKQonJmjKrU62wkpW4y3M9BTu0JQAmEL SIuCokQM86Og2W3L7PZgIk5BHxWk3XMURTdAz4aIkOk9HlTi3C68Wf/DP+qM/enFxmdrZQVj t3eoqS7GmNfzbIMSVDNglvYg1bI/P7oVPHAp41OL82Ch0sGeCrTiU2YSA3wqzpDt9IIb4YuV RK2Z0LWhipBLg15AUiEoTbRFWEtMYxXZ9df+dJ0cA/lOJwuKJ1P1iAqUGTW+xL4fQj7tGi/h DyRlKzlAnJzR6M0HlwLazVELaohLTyHzYMW6t9VkT8YwzHa8I63tJ279wVfVdbm/mZrgo1KV KWe1RbwsR5+jk/4WZaCbCJzD+EkOCyKWmRMqmWAA0LgSyrJpsLBd2M79zjo/AB8ZsQGAijl3 ekYWVUHQbGlvCfcyM/VuSmKg+MfZdkocxKtLWPXnmhvBsIJ2zsgaAWjLLb8GTLMYe0G3BoZZ kB0xdwBilfoJ3sJILCLVoG8ElpwE6hDVaA+68ileZHvMoEa9K3X1jheo+zstZK3QPRjUTi4S cutMRWbp+aSt43iiV5XaHW97JQ0AAAAAAAA= --------------ms090906050805080905000008--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d3bfafc7-c4ad-7984-546b-6b95f8d6d577>