-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VOIP call initiation fails #111
Comments
Does anything appear in the logs when this happens? (you can view the logs using Qubes Manager : select the firewall, then |
Thank you for your response @talex5 Sys-net is 10.137.0.4, and the vpn attached to mirage-firewall is 10.137.0.27. Here are the contents of guest-mirage-firewall.log: |
I guess qubes-mirage-firewall/firewall.ml Lines 29 to 31 in 094637b
The Ethernet layer writes to the network device here: https://github.com/mirage/ethernet/blob/master/src/ethernet.ml#L79 mirage-net-xen should probably use |
I am. Notes in https://mirage.io/blog/announcing-mirage-35-release#TCP-IP. The short overview is that the target (network device) knows best about alignment restrictions and MTU. This is why the send this buffer API changed. Briefly, a higher layer calls "send" with an argument "size" (how much data to be sent by the upper layer, if known), and a callback function "fill" (buffer -> int) which receives the buffer, fills it, and returns the length which was used. This way, the ethernet layer gets the size argument from the IP layer, adds 14, and calls the network send. In the callback, it writes source and destination addresses (and protocol type) into the buffer, and calls the IP layer fill function with the buffer shifted to where the IP header should start. Now, considering this issue report, I suspect there's something wrong. What would help is a pcap of one of the packets sent by the client, and not forwarded to sys-net.
No, NAT does not increase packet sizes. But our NAT library now reassembles and fragments packets, so we should ensure that the right MTU is passed (to remind myself, the MTU in our stack is different for each layer since the (static) header is subtracted).
Yes, this is a good idea. To fix this issue, it'd be also worth to have the numbers in the log messages (sorry for them being slightly useless since they do not contain any data). |
Dear @jorgejones7711, I was able to locally reproduce the issue with some icmp packets. I developed a fix (in mirage-net-xen, see the reference above if of interest). Could you check that this works for you? I compiled and uploaded a new firewall virtual machine image to https://data.robur.coop/qubes-firewall-0.7.1-mtu-fixed.xen -- if you download this and put it in your dom0 as |
…98) * In MirageOS / mirage-net, the MTU is defined as the Ethernet payload -- adjust to 1500 * pass only the requested size of the buffer to the fill function (discovered in mirage/qubes-mirage-firewall#111)
CHANGES: * MirageOS (mirage-net) defines the MTU as the link-level payload size, adjust from 1514 to 1500 (@hannesm, mirage/mirage-net-xen#98) * Only pass the sub-buffer of requested size to the fill function (solves mirage/qubes-mirage-firewall#111, @hannesm, mirage/mirage-net-xen#98) * listen: do not catch out of memory exception (@hannesm, mirage/mirage-net-xen#97)
Want to say it's still working great, never a problem. Thanks guys. I hope this get mainlined into qubes. |
Hello thank you for the great little firewall. I have been using qubes mirage firewall 0.7.1 for several days and everything seems to be working great. Today I found something. I use voip software over a udp vpn. The vpn has been working fine with no problems. The client is able to log into the voip server without problem as indicated with a green circle (online). However, when I try to initiate a call, it tries for about 10 seconds then fails. On sys-firewall it works normally. I have gone back and forth several times to verify that it works on sys-firewall, but does not work on qmf071. I also tried a different voip client and it is the same. It is strange because since it is over a vpn the firewall should not treat the packets differently. But the problem is real. It is the only problem I have found.
The text was updated successfully, but these errors were encountered: