Date: Thu, 18 Dec 2014 11:29:01 +0100 From: Ilya Bakulin <ilya@bakulin.de> To: Kristof Provost <kristof@sigsegv.be> Cc: freebsd-net@freebsd.org, clusteradm@freebsd.org, Mark Felder <feld@freebsd.org>, freebsd-pf@freebsd.org Subject: PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in =?UTF-8?Q?ip=5B=36=5D=5Foutput=29?= Message-ID: <694672ef2ebe8adb6badcd4b059942c1@mail.bakulin.de> In-Reply-To: <20141109201557.GH2044@vega.codepro.be> References: <d2f0c43909d9c9bada9a5bda7719cfca@mail.bakulin.de> <1415210423.3394438.187470637.21CD8D3D@webmail.messagingengine.com> <9355b23f1a07008eca61f16ebd828d0b@mail.bakulin.de> <20141107133101.GF2044@vega.codepro.be> <545F6C8F.6010700@bakulin.de> <20141109201557.GH2044@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-11-09 21:15, Kristof Provost wrote: > On 2014-11-09 14:30:55 (+0100), Ilya Bakulin <ilya@bakulin.de> wrote: >> On 07.11.14, 14:31, Kristof Provost wrote: > You can find the patch series here: > http://www.sigsegv.be/files/pf_inet6_frag.tar > and everything in one big patch here: > http://www.sigsegv.be/files/pf_inet6_frag.patch > > It's not cleaned up yet, or even extensively tested. > Basically the only testing that's been done is setting up a pf config > to > drop all traffic except icmp echo requests, and then sending out > fragmented icmp echo requests. Without the patch those get dropped, > with > the patch they make it through the firewall. > I've done some quick flood ping testing, so I'm reasonably confident it > doesn't leak mbufs. > > I started from the OpenBSD work, and imported and adjusted their inet6 > defragmentation patches. > > Regards, > Kristof Hi Kristof, I have tested your patchset and it works! Apart from testing with fragmented ICMPv6 requests, I've performed an UDP test using Scapy: >>> pkt=IPv6(dst="fdf9:37e3:7c53::100:2")/IPv6ExtHdrFragment()/UDP(dport=8000)/("a" >>> * 10000) >>> pktlist = fragment6(pkt, 1000) >>> send(pktlist) fdf9:37e3:7c53::100:2 in this case is the address of my FreeBSD 11-CURRENT VM running with your patch. sending pktlist on wire results in 11 packets being sent, they all get reassembled by PF and I can receive the data if I start nc on UDP port 8000. What I want to do is to do the test with overlapping fragments (that should be dropped because overlapping IPv6 fragments are forbidden) and maybe some other non-typical packets. At this poing I would like to ask clusteradm@ (CC'ed) to at least look at this patchet. The distinction between CROP and DROP that was dropped upstream is IMHO not important :-) I highly doubt that it makes any difference to anyone, and parcticularly at FreeBSD cluster. On the other hand, clusteradm@ people have complained about missing IPv6 fragment support -- so here is the solution. -- Ilya
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?694672ef2ebe8adb6badcd4b059942c1>