In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Jeff Kletsky
When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte return packet is silently dropped by the in-kernel NAT, even though it "matches" the outbound packet from less than 100 ms prior. All other operations of

Re: In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Michael Sierchio
On Wed, Jun 13, 2018 at 10:16 AM, Jeff Kletsky wrote: When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel > to the T-Mobile provisioning servers, the reassembled, 4640-byte return > packet is silently dropped by the in-kernel NAT, even though it "matches" > the outbound pac

Re: In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Jeff Kletsky
On 6/13/18 10:22 AM, Michael Sierchio wrote: On Wed, Jun 13, 2018 at 10:16 AM, Jeff Kletsky wrote: When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte return packet is silently dropped by the in-kernel NAT

Re: In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Michael Sierchio
I see you have a case of Netgraph. Perhaps Julian will chime in. On Wed, Jun 13, 2018 at 10:32 AM, Jeff Kletsky wrote: > On 6/13/18 10:22 AM, Michael Sierchio wrote: > > On Wed, Jun 13, 2018 at 10:16 AM, Jeff Kletsky wrote: >> >> When a T-Mobile "femto-cell" is trying to establish its IPv4, IPS

Re: In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Andrey V. Elsukov
On 13.06.2018 20:16, Jeff Kletsky wrote: > When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC > tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte > return packet is silently dropped by the in-kernel NAT, even though it > "matches" the outbound packet from less

Re: In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Jeff Kletsky
On 6/13/18 12:01 PM, Andrey V. Elsukov wrote: On 13.06.2018 20:16, Jeff Kletsky wrote: When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte return packet is silently dropped by the in-kernel NAT, even though

Re: In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Andrey V. Elsukov
On 13.06.2018 23:04, Jeff Kletsky wrote: >> The kernel version of libalias uses m_megapullup() function to make >> single contiguous buffer. m_megapullup() uses m_get2() function to >> allocate mbuf of appropriate size. If size of packet greater than 4k it >> will fail. So, if you use MTU greater t

Re: In-kernel NAT [ipfw] dropping large UDP return packets

2018-06-13 Thread Jeff Kletsky
On 6/13/18 1:28 PM, Andrey V. Elsukov wrote: On 13.06.2018 23:04, Jeff Kletsky wrote: The kernel version of libalias uses m_megapullup() function to make single contiguous buffer. m_megapullup() uses m_get2() function to allocate mbuf of appropriate size. If size of packet greater than 4k it w