From 7af86258eef17efffadb7e9ebab8ce0524610b22 Mon Sep 17 00:00:00 2001 From: Huang-Huang Bao Date: Tue, 14 Jan 2025 13:55:02 +0800 Subject: [PATCH] doc: guide user to disable hardware offload Also update issue temaplte to block unpreapred reports. --- .github/ISSUE_TEMPLATE/bug_report.md | 12 ++++++++++-- README.md | 4 ++++ config.sample.toml | 2 +- docs/guide/openwrt.md | 3 +++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 66648c1..12febf8 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -6,7 +6,7 @@ labels: "" assignees: "" --- - + **Describe the bug** @@ -31,9 +31,17 @@ Configuration file: **Target Machine (please complete the following information):** - Architecture: [e.g. x86-64, aarch64] -- Linux distribution: [e.g. Arch Linux, OpenWrt] +- Linux distribution and version: [e.g. Arch Linux (rolling), OpenWrt (v23.05.5)] - Kernel version: [e.g. 5.15, 6.7.1] - einat version: [e.g. 0.1.1] **Additional context** Add any other context about the problem here, e.g. network interface information, firewall(iptables/nftables) configuration. +And connection test results of `nslookup aliyun.com 223.5.5.5`, `traceroute -T 223.5.5.5`, `ping -M do -s 1464 223.5.5.5`, etc. . + +Please elaborate what you have changed in detail for unchecked options below. + +- [ ] I have read **README** and notes in **config.sample.toml**. +- [ ] I don't have any (hardware) offload/acceleration solutions enabled. +- [ ] I have a clean firewall or with only firewall rule of TCP MSS Clamping. +- [ ] I don't have any special/advanced routing rules other than the basic default routing. diff --git a/README.md b/README.md index ea9feba..b1a1124 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,10 @@ see . Though this only works for [TCP MSS clamping]: https://wiki.nftables.org/wiki-nftables/index.php/Mangling_packet_headers#Mangling_TCP_options +> [!IMPORTANT] +> Disable any hardware offload/acceleration solutions before trying out einat, especially on OpenWrt where "acceleration" solutions are commonly abused. +> As hardware offload solution can't recognize NAT bindings created in einat, the incoming packets flowing over hardware firmware could be dropped due to some internal firewall policies. + To test if this works, you can use tools below on internal network behind NAT. Notice you could only got "Full Cone" NAT if your external network is already "Full Cone" NAT or has a public IP. - `stunclient` from [stuntman](https://github.com/jselbie/stunserver) diff --git a/config.sample.toml b/config.sample.toml index 94d9aed..6defa00 100644 --- a/config.sample.toml +++ b/config.sample.toml @@ -11,7 +11,7 @@ ipv6_hairpin_table_id = 4787 # For ports not in specified ranges, einat would passthrough NAT if the traffic # is on interface's external address. You should exclude ports of services ( # e.g. SSH, HTTP server) serving on NAT host's external address and expecting -# inbound initiaed traffic from NAT port ranges specified here. +# inbound initiated traffic from NAT port ranges specified here. tcp_ranges = ["20000-29999"] udp_ranges = ["20000-29999"] # Combined ICMP query ID ranges, must include `icmp_in_ranges` and `icmp_out_ranges`. diff --git a/docs/guide/openwrt.md b/docs/guide/openwrt.md index 27531a5..09ec402 100644 --- a/docs/guide/openwrt.md +++ b/docs/guide/openwrt.md @@ -7,6 +7,9 @@ So if the architecture of your router is not x86-64 or aarch64 or other actively The following is OpenWrt build configs required for `einat` to work. +> [!IMPORTANT] +> Disable any hardware offload/acceleration solutions before trying out einat. + ## Build Configs Make sure to use latest OpenWrt release or OpenWrt on main branch.