xfer-in: Transfer status: timed out (selective failures)
Peter 'PMc' Much
pmc at citylink.dinoex.sub.org
Tue Feb 25 16:10:23 UTC 2025
Thanks a lot, folks!
The problem is solved - I put a "checksum" module between the
firewall and the "nat" module (I have netgraph[1] modules), and that
works now as expected.
Apparently, when NAT-rewriting the address of a /locally created/
packet, at the time of rewriting the checksum has not yet been
computed (because it cannot yet be determined if it should be computed
or offloaded).
Then the act of rewriting will "correct" that non-existant checksum
(to a wrong value, obviousely) only to achieve that it no longer
appears as nonexistant, and will not be correctly created at a
later time either.
This does probably concern a lot of NAT libaries, only we do usually
not change the address of the local node itself, only those of other
nodes from inside our lan - and so the issue doesn't hit.
It shouldn't harm named either, because named has a proper
configurable source-ip - so maybe I just found an issue during testing
which wasn't even the original failure cause. (Somehow I manage to
find bugs all the time - previous night it was one in NFSv4 [2].)
Anyway, thanks for being with me!
cheerio,
PMc
[1] https://en.wikipedia.org/wiki/Netgraph
[2] https://lists.freebsd.org/archives/freebsd-fs/2025-February/004349.html
More information about the bind-users
mailing list