Matching ICMP errors in IPF

To: tech-net%netbsd.org@localhost
Subject: Matching ICMP errors in IPF
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Wed, 9 Mar 2016 14:59:23 +0100

			Hi tech-net@,

I am currently experiencing a situation of blackhole networking, while
routing a VPN for a number of Xen DOMUs. It turns out NetBSD seems to be
the culprit :(

The first issue is with ICMP errors, like for path MTU discovery. They
are not correctly matched by IPF back to the original state. I have a
patch for this, that I successfully tested on netbsd-7.

I am also experiencing issues with fragmented UDP packets on my actual
router (also running NetBSD), probably related, when running OpenVPN
over UDP. Running OpenVPN over TCP instead solves some issues but not
everything, so I have to keep digging.

The patch attached only helps with matching ICMP errors for ICMP
queries. I could not confirm yet it this actually works correctly for
UDP and TCP. I am pushing my current work there:
http://git.edgebsd.org/gitweb/?p=edgebsd-src.git;a=shortlog;h=refs/heads/khorben/inet-pmtu

Let me know if this is good to commit already. I will then request
pull-ups to netbsd-7. I have not checked yet if netbsd-6 is affected.

HTH,
-- 
khorben

commit 881b3043c08ae3b4edb5e588ca291b2cc7332d02
Author: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date:   Wed Mar 9 12:01:17 2016 +0100

    Fix path MTU discovery for NAT'd ICMP queries

diff --git a/sys/external/bsd/ipf/netinet/ip_nat.c b/sys/external/bsd/ipf/netinet/ip_nat.c
index 4108e93..f2a57ab 100644
--- a/sys/external/bsd/ipf/netinet/ip_nat.c
+++ b/sys/external/bsd/ipf/netinet/ip_nat.c
@@ -4032,13 +4032,8 @@ ipf_nat_inlookup(fr_info_t *fin, u_int flags, u_int p, struct in_addr src,
 		dport = htons(fin->fin_data[1]);
 		break;
 	case IPPROTO_ICMP :
-		if (flags & IPN_ICMPERR) {
-			sport = fin->fin_data[1];
-			dport = 0;
-		} else {
-			dport = fin->fin_data[1];
-			sport = 0;
-		}
+		sport = 0;
+		dport = fin->fin_data[1];
 		break;
 	default :
 		sport = 0;
@@ -4364,10 +4359,7 @@ ipf_nat_outlookup(fr_info_t *fin, u_int flags, u_int p, struct in_addr src,
 		dport = htons(fin->fin_data[1]);
 		break;
 	case IPPROTO_ICMP :
-		if (flags & IPN_ICMPERR)
-			sport = fin->fin_data[1];
-		else
-			dport = fin->fin_data[1];
+		dport = fin->fin_data[1];
 		break;
 	default :
 		break;

Prev by Date: Re: Proxy ARP
Next by Date: Racoon patch for mode_cfg with rsasig authentication
Previous by Thread: pfkey UPDATE and ADD failed with IPsec
Next by Thread: Racoon patch for mode_cfg with rsasig authentication
Indexes:

Home | Main Index | Thread Index | Old Index