kern/121743: ipfw in-kernel nat loses fragmented packets
Alexander Zagrebin
alexz at visp.ru
Mon Mar 17 12:10:03 UTC 2008
The following reply was made to PR kern/121743; it has been noted by GNATS.
From: "Alexander Zagrebin" <alexz at visp.ru>
To: <vadim_nuclight at mail.ru>
Cc: <bug-followup at freebsd.org>
Subject: RE: kern/121743: ipfw in-kernel nat loses fragmented packets
Date: Mon, 17 Mar 2008 14:32:23 +0300
> On Sat, 15 Mar 2008 18:47:03 GMT; Alexander Zagrebin
> <alexz at visp.ru> wrote:
>
> >>Fix:
> > --- sys/netinet/ip_fw2.c.orig 2008-02-28 11:28:09.000000000 +0300
> > +++ sys/netinet/ip_fw2.c 2008-03-15 18:41:52.000000000 +0300
> > @@ -3568,7 +3568,8 @@
> > else
> > retval =
> LibAliasOut(t->lib, c,
> > MCLBYTES);
> > - if (retval != PKT_ALIAS_OK) {
> > + if (retval != PKT_ALIAS_OK &&
> > + retval !=
> PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
> > /* XXX - should i
> add some logging? */
> > m_free(mcl);
> > badnat:
>
> This is not so simple to fix as LibAlias API requires caller
> to save packet
> fragments somewhere and then at some time to feed them all
> back. And kernel
> infrastructure currently is not so suitable for that packet storage.
/sbin/natd doesn't use this method too. But it is in source tree and works.
This patch will work at most cases.
It is better to work with a bad patch, than to not work absolutely.
> As a workaround you can currently send packets with some ipfw
> rule before NAT
> to a divert socket on wich ng_ksocket listens and returns
> packets back with
> ng_echo (thus packets won't leave kernel), as divert sockets do packet
> reassembly.
So ng_ksocket has kernel memory for fragmented packet's buffer, but libalias
not? :)
More information about the freebsd-ipfw
mailing list