netgraph snooping failing using tcpdump with ng_tee and ng_eiface

I'm in the process of trying to debug a deeper question with netgraph, but am puzzled as to why I can't seem to use tcpdump with ng_tee and ng_eiface. I don't see any packets with tcpdump on either the ng_eiface connected to ng_tee left2right or to ng_tee right2left when there are packets flowing

VNET / netgraph jails -- Locking down?

For several years I've been using netgraph to provide connectivity for "service hosts" in jails on a "jail server" Since I'm finally getting the jail server off FreeBSD 9 and solidly onto 11, I've got the chance to rewrite the scripting of how I'm handling jail connectivity and am hoping that

Re: ipfw -- selecting locally generated packets

On 5/3/18 6:35 AM, Julian Elischer wrote: On 3/5/18 12:08 am, Michael Sierchio wrote: On Mon, Apr 30, 2018 at 10:48 AM, Jeff Kletsky <free...@wagsky.com> wrote: "not recv any" doesn't seem to be helpful either $ sudo ipfw add 64000 count ip from any to any out xmit an

In-kernel NAT [ipfw] dropping large UDP return packets

When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte return packet is silently dropped by the in-kernel NAT, even though it "matches" the outbound packet from less than 100 ms prior. All other operations of

Re: In-kernel NAT [ipfw] dropping large UDP return packets

On 6/13/18 10:22 AM, Michael Sierchio wrote: On Wed, Jun 13, 2018 at 10:16 AM, Jeff Kletsky wrote: When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte return packet is silently dropped by the

Re: In-kernel NAT [ipfw] dropping large UDP return packets

On 6/13/18 12:01 PM, Andrey V. Elsukov wrote: On 13.06.2018 20:16, Jeff Kletsky wrote: When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel to the T-Mobile provisioning servers, the reassembled, 4640-byte return packet is silently dropped by the in-kernel NAT, e

Re: In-kernel NAT [ipfw] dropping large UDP return packets

On 6/13/18 1:28 PM, Andrey V. Elsukov wrote: On 13.06.2018 23:04, Jeff Kletsky wrote: The kernel version of libalias uses m_megapullup() function to make single contiguous buffer. m_megapullup() uses m_get2() function to allocate mbuf of appropriate size. If size of packet greater than 4k

ipfw -- selecting locally generated packets

From time to time, I rewrite my firewall rules to take advantages of the ever-improving set of features that ipfw provides. One of the challenges I have faced in the past was selecting packets that are generated on the firewall host itself, as opposed to those that it received through an