From owner-freebsd-stable@FreeBSD.ORG  Fri May 18 13:37:46 2007
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D63F116A407;
	Fri, 18 May 2007 13:37:46 +0000 (UTC)
	(envelope-from koji@registro.br)
Received: from clone.registro.br (clone.registro.br [200.160.2.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 9512F13C459;
	Fri, 18 May 2007 13:37:46 +0000 (UTC)
	(envelope-from koji@registro.br)
Received: by clone.registro.br (Postfix, from userid 1002)
	id 77F4595873; Fri, 18 May 2007 10:37:45 -0300 (BRT)
Date: Fri, 18 May 2007 10:37:45 -0300
From: Hugo Koji Kobayashi <koji@registro.br>
To: Mark Andrews <Mark_Andrews@isc.org>
Message-ID: <20070518133745.GJ37175@registro.br>
References: <200705172350.l4HNowGe089722@drugs.dv.isc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200705172350.l4HNowGe089722@drugs.dv.isc.org>
User-Agent: Mutt/1.4.2.2i
X-Organization: Registro.br
X-URL: http://registro.br/
X-Operating-System: FreeBSD
Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org
Subject: Re: udp fragmentation with pf/ipf
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2007 13:37:46 -0000

Ok. I understand that, but in FreeBSD 4.11 it works and without the
"keep frags" the query is blocked. Is it just a misbehaviour of
an old ipf version?

And there is also the different behaviour of pf under OpenBSD. As I
understand, the "scrub" rule should reassemble the fragments and pass
the complete packet on to the filter, making the response arrive to
the application. Am I wrong?


On Fri, May 18, 2007 at 09:50:58AM +1000, Mark Andrews wrote:
> 
> > 
> > 	This should be rejected as "keep frags" is meaningless here.
> > 
> > pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
> >  keep state keep frags
> > 
> > 	You need
> > 	
> > 	pass in quick from any to any with frag keep frag
> 
> 	The reason is that "ip" fragments not have next level headers. 
>