Bug ID: 229003
           Summary: [ipfw][ng_ipfw] In-kernel NAT Has "Undocumented" 4k
                    Packet-size Limit
           Product: Documentation
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Documentation

After much debugging, it was found that large packets (over 4k) were silently
dropped by the in-kernel NAT used by ipfw and ng_ipfw. This is not documented
on the man page for ipfw or ng_ipfw

Suggested resolution:
* Update the two man pages to document the limitation
* Suggest on those man pages that, if large packets are potentially to be
NAT-ed, reassembled or from "jumbo frames", natd be used rather than in-kernel

As revealed by Andrey V. Elsukov on freebsd-net and freebsd-ipfw on 2018-06-13:

"The kernel version of libalias uses m_megapullup() function to make
single contiguous buffer. m_megapullup() uses m_get2() function to
allocate mbuf of appropriate size. If size of packet greater than 4k it
will fail. So, if you use MTU greater than 4k or if after fragments
reassembly you get a packet with length greater than 4k, ipfw_nat()
function will drop this packet."

Examining the code in /usr/src/sys/netinet/libalias/alias.c

#ifdef _KERNEL
* m_megapullup() - this function is a big hack.
* Thankfully, it's only used in ng_nat and ipfw+nat.

You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to