kern/121743: ipfw in-kernel nat loses fragmented packets
Vadim Goncharov
vadim_nuclight at mail.ru
Mon Mar 17 09:30:04 UTC 2008
The following reply was made to PR kern/121743; it has been noted by GNATS.
From: Vadim Goncharov <vadim_nuclight at mail.ru>
To: Alexander Zagrebin <alexz at visp.ru>
Cc: bug-followup at freebsd.org
Subject: Re: kern/121743: ipfw in-kernel nat loses fragmented packets
Date: Mon, 17 Mar 2008 15:19:38 +0600
Hi Alexander Zagrebin!
On Sat, 15 Mar 2008 18:47:03 GMT; Alexander Zagrebin <alexz at visp.ru> wrote:
>>Fix:
> --- sys/netinet/ip_fw2.c.orig 2008-02-28 11:28:09.000000000 +0300
> +++ sys/netinet/ip_fw2.c 2008-03-15 18:41:52.000000000 +0300
> @@ -3568,7 +3568,8 @@
> else
> retval = LibAliasOut(t->lib, c,
> MCLBYTES);
> - if (retval != PKT_ALIAS_OK) {
> + if (retval != PKT_ALIAS_OK &&
> + retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
> /* XXX - should i add some logging? */
> m_free(mcl);
> badnat:
This is not so simple to fix as LibAlias API requires caller to save packet
fragments somewhere and then at some time to feed them all back. And kernel
infrastructure currently is not so suitable for that packet storage.
As a workaround you can currently send packets with some ipfw rule before NAT
to a divert socket on wich ng_ksocket listens and returns packets back with
ng_echo (thus packets won't leave kernel), as divert sockets do packet
reassembly.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight at mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
More information about the freebsd-ipfw
mailing list