The following reply was made to PR kern/121743; it has been noted by GNATS.
From: Vadim Goncharov <[EMAIL PROTECTED]>
To: Alexander Zagrebin <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: kern/121743: ipfw in-kernel nat loses fragmented packets
Date: Mon, 17 Mar 2008 15:19:38 +0600
Hi Alexander Zagrebin!
On Sat, 15 Mar 2008 18:47:03 GMT; Alexander Zagrebin <[EMAIL PROTECTED]> wrote:
>>Fix:
> --- sys/netinet/ip_fw2.c.orig 2008-02-28 11:28:09.000000000 +0300
> +++ sys/netinet/ip_fw2.c 2008-03-15 18:41:52.000000000 +0300
> @@ -3568,7 +3568,8 @@
> else
> retval = LibAliasOut(t->lib, c,
> MCLBYTES);
> - if (retval != PKT_ALIAS_OK) {
> + if (retval != PKT_ALIAS_OK &&
> + retval !=
> PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
> /* XXX - should i add some logging?
> */
> m_free(mcl);
> badnat:
This is not so simple to fix as LibAlias API requires caller to save packet
fragments somewhere and then at some time to feed them all back. And kernel
infrastructure currently is not so suitable for that packet storage.
As a workaround you can currently send packets with some ipfw rule before NAT
to a divert socket on wich ng_ksocket listens and returns packets back with
ng_echo (thus packets won't leave kernel), as divert sockets do packet
reassembly.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
