Date: Wed, 1 Nov 2017 14:17:33 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: freebsd-net@freebsd.org, Viktor Dukhovni <freebsd@dukhovni.org> Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via tcp6_usr_connect() Message-ID: <94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru> In-Reply-To: <DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org> References: <FCC0833F-AA88-4F27-9DA3-4FA1218C49DB@dukhovni.org> <86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru> <DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fMnIglqx5UMP0Tn0mCbbXUTingGCsBNec Content-Type: multipart/mixed; boundary="Bvbi2wePqo6FfHat84UI3D6I3uwCxUMbB"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: freebsd-net@freebsd.org, Viktor Dukhovni <freebsd@dukhovni.org> Message-ID: <94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru> Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via tcp6_usr_connect() References: <FCC0833F-AA88-4F27-9DA3-4FA1218C49DB@dukhovni.org> <86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru> <DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org> In-Reply-To: <DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org> --Bvbi2wePqo6FfHat84UI3D6I3uwCxUMbB Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 31.10.2017 19:40, Viktor Dukhovni wrote: >> can you show your nat rules? >=20 > Sure, igb0 is outside, igb1 is inside, the external IP > address is 100.2.39.101/24, the internal is 192.168.1.1/24. > The machine is the DNS server for the inside network and > does not NAT DNS traffic (makes thousands of DNS queries > per second when doing DANE scans, and would quickly exhaust > the state tables). I also don't NAT NTP, or TCP 22/88 to > the server. There's no IPv6 on the internal network, so > at present the IPv6 rules are rudimentary, just anti-spoof > the loopback interface and boilerplate ICMP6 rules. > # NAT the rest > ipfw nat 1 config if "$oif" unreg_only reset same_ports > ipfw add nat 1 ip from any to any via "$oif" Just an theory, can you try change this rule to be like this: ipfw add nat 1 ip4 from any to any via "$oif" =46rom first glance I don't see any restrictions in libalias/nat44 to not= try to translate IPv6 packet assuming it as IPv4. --=20 WBR, Andrey V. Elsukov --Bvbi2wePqo6FfHat84UI3D6I3uwCxUMbB-- --fMnIglqx5UMP0Tn0mCbbXUTingGCsBNec Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAln5rU0ACgkQAcXqBBDI oXqLEwgAsRfE6+inhCGmQ2s1Dxt9LuOLp/GRLZU0lICk1EnwyA1d8fXmP89T4cH2 PqcyxUzhLIGPwubXqhYMPOes/nliGhal661pvEZO1aDMkZjFqhPWvbNyA+72IL5T qwTJWzajXykrVJFF3nUdtp0cPUDs6ijqauQ+GGOqi5EbBTQvp8SAmphpJo5/E/GW NdtCm9UqAWruF+itX6L+EKEgF1sfRL/nOh2Qm9ectjVINzS39ug6s0s/mtgM345L xA5OlbFKDcrPbJcEYP27bjremcsKL8lFptgo7Nov/e43ZTVVr2D0I11lBqpq+50F ohcljOHKEtilDRLVTM6cxKwUqK896g== =MBMy -----END PGP SIGNATURE----- --fMnIglqx5UMP0Tn0mCbbXUTingGCsBNec--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9>