The following reply was made to PR kern/121743; it has been noted by GNATS.
From: "Alexander Zagrebin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Subject: RE: kern/121743: ipfw in-kernel nat loses fragmented packets
Date: Mon, 17 Mar 2008 14:32:23 +0300
> On Sat, 15 Mar 2008 18:47:03 GMT; Alexander Zagrebin
> <[EMAIL PROTECTED]> wrote:
>
> >>Fix:
> > --- sys/netinet/ip_fw2.c.orig 2008-02-28 11:28:09.000000000 +0300
> > +++ sys/netinet/ip_fw2.c 2008-03-15 18:41:52.000000000 +0300
> > @@ -3568,7 +3568,8 @@
> > else
> > retval =
> LibAliasOut(t->lib, c,
> > MCLBYTES);
> > - if (retval != PKT_ALIAS_OK) {
> > + if (retval != PKT_ALIAS_OK &&
> > + retval !=
> PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
> > /* XXX - should i
> add some logging? */
> > m_free(mcl);
> > badnat:
>
> This is not so simple to fix as LibAlias API requires caller
> to save packet
> fragments somewhere and then at some time to feed them all
> back. And kernel
> infrastructure currently is not so suitable for that packet storage.
/sbin/natd doesn't use this method too. But it is in source tree and works.
This patch will work at most cases.
It is better to work with a bad patch, than to not work absolutely.
> As a workaround you can currently send packets with some ipfw
> rule before NAT
> to a divert socket on wich ng_ksocket listens and returns
> packets back with
> ng_echo (thus packets won't leave kernel), as divert sockets do packet
> reassembly.
So ng_ksocket has kernel memory for fragmented packet's buffer, but libalias
not? :)
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
