Bug 229003

Summary: [ipfw][ng_ipfw] In-kernel NAT Has "Undocumented" 4k Packet-size Limit
Product: Documentation Reporter: Jeff Kletsky <jeff+freebsd>
Component: Books & ArticlesAssignee: freebsd-doc (Nobody) <doc>
Status: Closed Overcome By Events    
Severity: Affects Many People    
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Jeff Kletsky 2018-06-13 22:21:59 UTC 
After much debugging, it was found that large packets (over 4k) were silently dropped by the in-kernel NAT used by ipfw and ng_ipfw. This is not documented on the man page for ipfw or ng_ipfw

Suggested resolution:
* Update the two man pages to document the limitation
* Suggest on those man pages that, if large packets are potentially to be NAT-ed, reassembled or from "jumbo frames", natd be used rather than in-kernel NAT


As revealed by Andrey V. Elsukov on freebsd-net and freebsd-ipfw on 2018-06-13:

"The kernel version of libalias uses m_megapullup() function to make
single contiguous buffer. m_megapullup() uses m_get2() function to
allocate mbuf of appropriate size. If size of packet greater than 4k it
will fail. So, if you use MTU greater than 4k or if after fragments
reassembly you get a packet with length greater than 4k, ipfw_nat()
function will drop this packet."


Examining the code in /usr/src/sys/netinet/libalias/alias.c

#ifdef _KERNEL
/*
* m_megapullup() - this function is a big hack.
* Thankfully, it's only used in ng_nat and ipfw+nat.
Comment 1 Jeff Kletsky 2018-06-14 00:04:17 UTC 
Relates to kernel issue #229006
Comment 2 Jeff Kletsky 2018-06-22 18:56:41 UTC 
As https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229006 is resolved in all "supported" versions, closing this as no longer needed