From owner-freebsd-net@freebsd.org Wed Nov 1 11:18:43 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0DFADE5800E for ; Wed, 1 Nov 2017 11:18:43 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward104o.mail.yandex.net (forward104o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::607]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A321B697F5 for ; Wed, 1 Nov 2017 11:18:42 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback17j.mail.yandex.net (mxback17j.mail.yandex.net [IPv6:2a02:6b8:0:1619::93]) by forward104o.mail.yandex.net (Yandex) with ESMTP id 7EC9F70205D; Wed, 1 Nov 2017 14:18:29 +0300 (MSK) Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net [2a02:6b8:0:801::ab]) by mxback17j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id VKrdn3NKks-IS1GlxND; Wed, 01 Nov 2017 14:18:29 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1509535109; bh=7iE2CA8/seI1cQwCtwxERxg7qmPNUXN4ZvFCCLkbQ88=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=W2CHpfGmxSBIlNP6Dc8Z3nITTW2Y5ptb8xg/loCEWrUW2ctCONGjq9+OmOs6XSeqZ 7z9rIwEGSWkcZYNnp2UTn6UzAkA6Ngg4iDYYym5X+X5H5D/wdMgox4glyVW2Z3DX2w /ZJAXWkOYduvhNNAbaDtyc63PHFNe4GaHfrR6NuU= Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id FpKqziWuZH-IRXSJoMA; Wed, 01 Nov 2017 14:18:28 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1509535108; bh=7iE2CA8/seI1cQwCtwxERxg7qmPNUXN4ZvFCCLkbQ88=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=DPGdtXGN0TlkA2/IHp6ckdbVtxGczpr4A8vKfdpGpCSPk6y5IRnXBIjeime0gV3qE wlua3DKVwZ+OIaTa1PcfGmcUTgeGx+foPFm6LUhfBIYQwXAMpQ6KwHBoGN+j+v6wij KYg2Sba2teLOmNQxI6e7kuphZvOB3J/8O+1O8ysc= Authentication-Results: smtp1j.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via tcp6_usr_connect() To: freebsd-net@freebsd.org, Viktor Dukhovni References: <86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru> Date: Wed, 1 Nov 2017 14:17:33 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fMnIglqx5UMP0Tn0mCbbXUTingGCsBNec" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2017 11:18:43 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fMnIglqx5UMP0Tn0mCbbXUTingGCsBNec Content-Type: multipart/mixed; boundary="Bvbi2wePqo6FfHat84UI3D6I3uwCxUMbB"; protected-headers="v1" From: "Andrey V. Elsukov" To: freebsd-net@freebsd.org, Viktor Dukhovni Message-ID: <94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru> Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via tcp6_usr_connect() References: <86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru> In-Reply-To: --Bvbi2wePqo6FfHat84UI3D6I3uwCxUMbB Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 31.10.2017 19:40, Viktor Dukhovni wrote: >> can you show your nat rules? >=20 > Sure, igb0 is outside, igb1 is inside, the external IP > address is 100.2.39.101/24, the internal is 192.168.1.1/24. > The machine is the DNS server for the inside network and > does not NAT DNS traffic (makes thousands of DNS queries > per second when doing DANE scans, and would quickly exhaust > the state tables). I also don't NAT NTP, or TCP 22/88 to > the server. There's no IPv6 on the internal network, so > at present the IPv6 rules are rudimentary, just anti-spoof > the loopback interface and boilerplate ICMP6 rules. > # NAT the rest > ipfw nat 1 config if "$oif" unreg_only reset same_ports > ipfw add nat 1 ip from any to any via "$oif" Just an theory, can you try change this rule to be like this: ipfw add nat 1 ip4 from any to any via "$oif" =46rom first glance I don't see any restrictions in libalias/nat44 to not= try to translate IPv6 packet assuming it as IPv4. --=20 WBR, Andrey V. Elsukov --Bvbi2wePqo6FfHat84UI3D6I3uwCxUMbB-- --fMnIglqx5UMP0Tn0mCbbXUTingGCsBNec Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAln5rU0ACgkQAcXqBBDI oXqLEwgAsRfE6+inhCGmQ2s1Dxt9LuOLp/GRLZU0lICk1EnwyA1d8fXmP89T4cH2 PqcyxUzhLIGPwubXqhYMPOes/nliGhal661pvEZO1aDMkZjFqhPWvbNyA+72IL5T qwTJWzajXykrVJFF3nUdtp0cPUDs6ijqauQ+GGOqi5EbBTQvp8SAmphpJo5/E/GW NdtCm9UqAWruF+itX6L+EKEgF1sfRL/nOh2Qm9ectjVINzS39ug6s0s/mtgM345L xA5OlbFKDcrPbJcEYP27bjremcsKL8lFptgo7Nov/e43ZTVVr2D0I11lBqpq+50F ohcljOHKEtilDRLVTM6cxKwUqK896g== =MBMy -----END PGP SIGNATURE----- --fMnIglqx5UMP0Tn0mCbbXUTingGCsBNec--