From owner-freebsd-pf@FreeBSD.ORG Mon Jun 25 06:23:46 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C03E616A482 for ; Mon, 25 Jun 2007 06:23:46 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id 7F6C613C487 for ; Mon, 25 Jun 2007 06:23:46 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so338304anc for ; Sun, 24 Jun 2007 23:23:45 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FZohFLjPBDX2ez94KBGEvVPR/2b8Dx4BYuP3gAyvg+r9Mf/26ivOad2aTk5Adw7yL2+UTJzGqjDxmlxMe/y537+zOqVxN8M1P3nXIm7cr5bQvC7KL/XE/aCVYTMYqMrrnIVDkEEfXnhzqQau8o2E37FV9H9X9P45V4KuuIEP+WI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AgzQ45vhYhgtRJbMQ9DvGU9sf0/QaOqg/Oe98ZY68mLvNf/Py3IusrAp39d2tNc8wlv4/E3OPVuE538K6kVLPwugFXyfRVHe7q7MB7XikjgVMIh/HWRh24cIsLvY/o/KoL6pa9UhvAAmDxXF20cU360leIuzLMmjfyDUuNUhw6s= Received: by 10.100.123.9 with SMTP id v9mr2931035anc.1182752625712; Sun, 24 Jun 2007 23:23:45 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Sun, 24 Jun 2007 23:23:45 -0700 (PDT) Message-ID: <499c70c0706242323s38fa71e8s5ebfb67bb1588d84@mail.gmail.com> Date: Mon, 25 Jun 2007 09:23:45 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Max Laier" In-Reply-To: <200706210352.38282.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200706160347.33331.max@love2party.net> <200706210352.38282.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 06:23:46 -0000 On 6/21/07, Max Laier wrote: > On Saturday 16 June 2007, Max Laier wrote: > > $subject at: http://people.freebsd.org/~mlaier/PF41/ > > New drop (20070621) out. > > Much better tested - thanks to qemu (which I finally got working w/ carp > [use the re nics and twiddle vlanhwtag after the carp interfaces are up]. > Now I only need a bit more ram *hint* *hint* *hint* ;) > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Max, Thank you for the hard work to bring latest pf to FreeBSD. When will it hit RELENG_6 and HEAD? :) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Mon Jun 25 11:08:42 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1498316A509 for ; Mon, 25 Jun 2007 11:08:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 044B513C457 for ; Mon, 25 Jun 2007 11:08:42 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5PB8fU9098785 for ; Mon, 25 Jun 2007 11:08:41 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5PB8eN6098781 for freebsd-pf@FreeBSD.org; Mon, 25 Jun 2007 11:08:40 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Jun 2007 11:08:40 GMT Message-Id: <200706251108.l5PB8eN6098781@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 11:08:42 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 6 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jun 25 12:23:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E74D516A400 for ; Mon, 25 Jun 2007 12:23:27 +0000 (UTC) (envelope-from myninku@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id 6E47013C489 for ; Mon, 25 Jun 2007 12:23:27 +0000 (UTC) (envelope-from myninku@gmail.com) Received: by wa-out-1112.google.com with SMTP id j37so1846631waf for ; Mon, 25 Jun 2007 05:23:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=XgXuCjrtfyIcsNFA9HgO70k2C7wB+8LnwFgi0Z9GWLmMG+w9+bh6Yn4/0ZlIIRJsfhB72PAJ0mi8VONqO2KkIme8NSaCO2ZYm3x3UXAO1nREsk+7vkNlygVKh8EPld4Txqgm4TVWODAIsnkOZsqEEYivVoDAqPBk/TD1vFp0OPA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ui+SdAUwjnWef3xts0gCnuYKj/mYPr3Ab0zVl7GUOPSsEbXvuIzFtbzCozqJiOuo9w26EBrWcO3Z9M38Zg0r1nUoN+A980PEorIElhvKH2qkDwWhRHUoznN0w/vg2T7vciu02NcB/p90d/st613e35X4LwlqD20z/D7gVipTwEU= Received: by 10.114.160.1 with SMTP id i1mr5361304wae.1182772575111; Mon, 25 Jun 2007 04:56:15 -0700 (PDT) Received: by 10.115.108.10 with HTTP; Mon, 25 Jun 2007 04:56:15 -0700 (PDT) Message-ID: Date: Mon, 25 Jun 2007 18:56:15 +0700 From: sukaca To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf load balance pust one upstream X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 12:23:28 -0000 dear all i'm using fbsd6.1 with p15. my load balancing just running smoothly at the time.by using 4 adsl connection and 1 broadboand connetions. my real problem is adsl upstream. i just try a couple method to push pf to make single upstream using broadband connection.but not working. any suggestion will very apreciate. best regard vicky From owner-freebsd-pf@FreeBSD.ORG Mon Jun 25 14:22:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9653716A400 for ; Mon, 25 Jun 2007 14:22:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 2D59B13C4B0 for ; Mon, 25 Jun 2007 14:22:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.5.26] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1I2pS32FEQ-00046Y; Mon, 25 Jun 2007 16:21:59 +0200 From: Max Laier Organization: FreeBSD To: "Abdullah Ibn Hamad Al-Marri" Date: Mon, 25 Jun 2007 16:23:49 +0200 User-Agent: KMail/1.9.6 References: <200706160347.33331.max@love2party.net> <200706210352.38282.max@love2party.net> <499c70c0706242323s38fa71e8s5ebfb67bb1588d84@mail.gmail.com> In-Reply-To: <499c70c0706242323s38fa71e8s5ebfb67bb1588d84@mail.gmail.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3181112.rQeSJIGTrP"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706251623.57053.max@love2party.net> X-Provags-ID: V01U2FsdGVkX199+8jQLEmgYcMwaQrCC33U8GX0Tfdgd23ffHt YnDCY6FDyTuA7JYecGsnEk217CG9sb3ZoO9D5TnLFCXquFN0KQ VItjbpAMH4wbhd2TZyaykefqFG+50t1K7OK86BLFbc= Cc: freebsd-pf@freebsd.org Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 14:22:01 -0000 --nextPart3181112.rQeSJIGTrP Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 25 June 2007, Abdullah Ibn Hamad Al-Marri wrote: > On 6/21/07, Max Laier wrote: > > On Saturday 16 June 2007, Max Laier wrote: > > > $subject at: http://people.freebsd.org/~mlaier/PF41/ > > > > New drop (20070621) out. > > > > Much better tested - thanks to qemu (which I finally got working w/ > > carp [use the re nics and twiddle vlanhwtag after the carp interfaces > > are up]. Now I only need a bit more ram *hint* *hint* *hint* ;) > > > > -- > > /"\ Best regards, | mlaier@freebsd.org > > \ / Max Laier | ICQ #67774661 > > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > Max, > > Thank you for the hard work to bring latest pf to FreeBSD. > > When will it hit RELENG_6 and HEAD? :) It will hit HEAD as soon as somebody other than me does proper testing and= =20 reports back! It will not hit RELENG_6 - ever. The new version breaks=20 every API/ABI around, which is not acceptable for a STABLE branch. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3181112.rQeSJIGTrP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGf8/8XyyEoT62BG0RAq+OAJ91rzZaXR3koX+sqgjir03jdlDReACfYakU pYIVVD/5lU/oSEsdBZR1b6E= =cgfA -----END PGP SIGNATURE----- --nextPart3181112.rQeSJIGTrP-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 25 14:57:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF80916A41F for ; Mon, 25 Jun 2007 14:57:27 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id 7477513C455 for ; Mon, 25 Jun 2007 14:57:27 +0000 (UTC) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id u2so1455284uge for ; Mon, 25 Jun 2007 07:57:26 -0700 (PDT) Received: by 10.82.183.19 with SMTP id g19mr12782410buf.1182783445685; Mon, 25 Jun 2007 07:57:25 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Mon, 25 Jun 2007 07:57:25 -0700 (PDT) Message-ID: <6e6841490706250757g13262b8ma12996e7fa069118@mail.gmail.com> Date: Mon, 25 Jun 2007 11:57:25 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: pf load balance pust one upstream X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 14:57:27 -0000 On 25/06/07, sukaca wrote: > dear all > i'm using fbsd6.1 with p15. > my load balancing just running smoothly at the time.by using 4 adsl > connection and 1 broadboand connetions. > my real problem is adsl upstream. > i just try a couple method to push pf to make single upstream using > broadband connection.but not working. > > any suggestion will very apreciate. > > best regard > vicky > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Do you want balance your output traffic to 4 ADSL and one broadband using pf??? What is the rule are you using?? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Mon Jun 25 20:50:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2574B16A4A9 for ; Mon, 25 Jun 2007 20:50:20 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 03F6C13C45B for ; Mon, 25 Jun 2007 20:50:14 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.5.26] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1I2vVl0TJM-00048a; Mon, 25 Jun 2007 22:50:13 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 25 Jun 2007 22:52:01 +0200 User-Agent: KMail/1.9.6 References: <200706160347.33331.max@love2party.net> In-Reply-To: <200706160347.33331.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2714447.6fpNTF4ie0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706252252.08589.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18yrbzBNJxh0zuWRSlBlbldmv/SermWDcTldcD sQxh/dhV3fva+sSV4rY7iuaM2oF9xFyt8+ZCAZEZK/RoaAfU0g 2M9GKZudiXcaooRIvctF3gZZKP3Q4Ki9FeJKYHqREY= Subject: Re: pf 4.1 Update available for testing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 20:50:20 -0000 --nextPart2714447.6fpNTF4ie0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 16 June 2007, Max Laier wrote: > $subject at: http://people.freebsd.org/~mlaier/PF41/ yet another drop (20070625) available. This should fix all remaining=20 issues with user/group rules. One slight limitation is that rules=20 with "log(all, user)" will only log the user on the first packet (but I=20 think one can live with that). This also connects tftp-proxy to the=20 build - if you have a use for it, please take it for a ride and let me=20 know. Other than that, I'm all out of problems. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2714447.6fpNTF4ie0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGgCr4XyyEoT62BG0RAu80AJ46O+e5Cv4u+i2ixUCiwylIBdSHGQCeMK2O +7paIqbiT9+p2MjYe84b27o= =iVA8 -----END PGP SIGNATURE----- --nextPart2714447.6fpNTF4ie0-- From owner-freebsd-pf@FreeBSD.ORG Mon Jun 25 20:57:13 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8DF3416A400 for ; Mon, 25 Jun 2007 20:57:13 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247]) by mx1.freebsd.org (Postfix) with ESMTP id 486B613C448 for ; Mon, 25 Jun 2007 20:57:13 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so394593anc for ; Mon, 25 Jun 2007 13:57:12 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=sIroLnTFGVbdMxHLnErKCZ9nZbnDCb04JJs8i1A77tNHHpIDDyRwsoqHAx0Q+YhPIyIufVu8JwyKtCP90nOP8NjpFMaeqdynmUzCavPCVyzFWIhXwvmAMZIFbOwMbf5S1xu9doHMS+hvGISxy7I0lWq2bVvF5nNWUtmgLnT8FZM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=D3bIudq/HyghRnZKhz54l+3/lHPfnAtoVxI54/bhgacIKH6NqUlNfGxXux5vJt5bn4mDj3Mh7Kkt8TFpNzs88Yzg3gtuO4DLPISMfUYNNrlGUmkEwiizx9ghBc+Wv4q5QY3CMCFnUzvZbVHLk4VtY9teHpRCJTnkkpjENA4qq2c= Received: by 10.100.105.18 with SMTP id d18mr3401500anc.1182805032229; Mon, 25 Jun 2007 13:57:12 -0700 (PDT) Received: from d600 ( [70.109.59.182]) by mx.google.com with ESMTP id d34sm8945995and.2007.06.25.13.57.11 (version=SSLv3 cipher=RC4-MD5); Mon, 25 Jun 2007 13:57:11 -0700 (PDT) Message-ID: <000301c7b76b$6208dc40$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: Date: Mon, 25 Jun 2007 16:57:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="windows-1251"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Cc: freebsd-pf@freebsd.org Subject: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 20:57:13 -0000 Max, Have you had a chance to look into udp fragmentation problem (posting on June, 4th). I don't see the problem listed in regular bug report, do I need to submit a new one? Just to remind what the problem is: after scrubbing fragmented UDP packet gets dropped by kernel due to a bad checksum. Thank you. Sincerely, Vadym Chepkov From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 10:28:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8621716A421 for ; Thu, 28 Jun 2007 10:28:27 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.244]) by mx1.freebsd.org (Postfix) with ESMTP id 4921F13C44B for ; Thu, 28 Jun 2007 10:28:27 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so115776anc for ; Thu, 28 Jun 2007 03:28:26 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=LBmZi9nr4hMqQwd09Wf3N72ekgyoGqHtc+tYArqbeeomS/cylx01fqoa6+rQQ4s2B3hBG7ZBloKB5QmQrWk7vQb04P4okWZtQHDDo7VUb4FMRRNtXH02nzm0tXPdr6IUZJS43n4fPtpOhVDh88nJ8Vkn2k46K7Y8MUr3IUS3pzs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=fRf68HxonM4r2ymz6VcHjRMZbLNEvD5b7CtDPRIAdQkZS1jq5CKzx69lSzyOPYBoDi7aBxDoCL/jFJsWqKCNCCzIQvQxZxdh+dHG53IwaoN91ek2JForpYSLK+dTiny43j6PMlmqBwVnSZkYkgPVmj1z5Kk+nwTLbGTUHxQtcnI= Received: by 10.100.91.6 with SMTP id o6mr1033209anb.1183026506414; Thu, 28 Jun 2007 03:28:26 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Thu, 28 Jun 2007 03:28:26 -0700 (PDT) Message-ID: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> Date: Thu, 28 Jun 2007 13:28:26 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "FreeBSD PF Pro List" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Flush ICMP and UDP flooders X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 10:28:27 -0000 Hello, I would like to block ICMP and UDP flooders who exceed a reasonable number. #- Rate Limit UDP (150 per host) pass proto udp to any port $udp_services keep state pass in quick proto udp from any to any \ keep state \ (max-src-conn 1,max-src-states 151, \ overload flush global) #- Rate Limit ICMP (10 per host) pass in quick proto icmp from any to any \ keep state \ (max-src-conn 1,max-src-states 11, \ overload flush global) Comments? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 10:57:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BE34116A46D for ; Thu, 28 Jun 2007 10:57:18 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.freebsd.org (Postfix) with ESMTP id 4386713C43E for ; Thu, 28 Jun 2007 10:57:18 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id BEFF7EB32B4; Thu, 28 Jun 2007 18:57:16 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id 1-kGav4zgVwP; Thu, 28 Jun 2007 18:57:10 +0800 (CST) Received: from LI-Xins-MacBook.local (sina152-194.staff.sina.com.cn [61.135.152.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 38C4BEB3102; Thu, 28 Jun 2007 18:57:07 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to:cc: subject:references:in-reply-to:x-enigmail-version:content-type; b=vNbZCvub63EtZvopeHvXp+kPR3DfdLD9nhOCUutz1W2ydsngX4grY9Ot45MgMaiw5 kfr0x7dOaAipdzmdDPB2Q== Message-ID: <468393F9.2030805@delphij.net> Date: Thu, 28 Jun 2007 18:56:57 +0800 From: LI Xin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.4 (Macintosh/20070604) MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> In-Reply-To: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> X-Enigmail-Version: 0.95.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig165D13EEFA532B637E57E94A" Cc: FreeBSD PF Pro List Subject: Re: Flush ICMP and UDP flooders X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 10:57:18 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig165D13EEFA532B637E57E94A Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Abdullah Ibn Hamad Al-Marri wrote: > Hello, >=20 > I would like to block ICMP and UDP flooders who exceed a reasonable num= ber. >=20 > #- Rate Limit UDP (150 per host) > pass proto udp to any port $udp_services keep state > pass in quick proto udp from any to any \ > keep state \ > (max-src-conn 1,max-src-states 151, \ > overload flush global) >=20 > #- Rate Limit ICMP (10 per host) > pass in quick proto icmp from any to any \ > keep state \ > (max-src-conn 1,max-src-states 11, \ > overload flush global) I think ICMP and UDP can have their originating address forged, so this will effectively construct a true remote triggerable DoS... Cheers, --=20 Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! --------------enig165D13EEFA532B637E57E94A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGg5P5OfuToMruuMARCiJzAJ9eHVXjzfwqjVwGCR6q9xmGJ9lzkwCeKC5M NSEgB9DGYWiOtYciIm+Dwsw= =oaBJ -----END PGP SIGNATURE----- --------------enig165D13EEFA532B637E57E94A-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 11:00:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6995616A41F for ; Thu, 28 Jun 2007 11:00:45 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id 2920E13C4BD for ; Thu, 28 Jun 2007 11:00:45 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so117227anc for ; Thu, 28 Jun 2007 04:00:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pwhWlvqOXqbJp2xONVeAXfPnJ6fFaq/i0blOIH7iZw6q7Z6xw3KKXxqrheUdjAT/f+0elkYLn1XTUoDGH8HNBDjCqzLS1/DMjg490RLqRxihIGr64FWm7B6c+BYwtOecQNrVcaUakaWo1gl18m3d5qUM6X3YPnYLAWaZf71yX2g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VyhgBI8UbU/eBjimITTp69xc1aaUDieZk/Qqk4eRnBoiGLWjlBQugQ9mIC2oFjIUnQ2qzFV1r23zUyZFfYo9KwIvU6czakXQNUwEFlIEtBvqIR9BKnpsLG+lG7EdUj8a0//y/ho1Q5ly7Z7q3u5fHyE4vrrVbfhxJ9eLPKdFOwQ= Received: by 10.100.142.12 with SMTP id p12mr1036042and.1183028444492; Thu, 28 Jun 2007 04:00:44 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Thu, 28 Jun 2007 04:00:44 -0700 (PDT) Message-ID: <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> Date: Thu, 28 Jun 2007 14:00:44 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "LI Xin" In-Reply-To: <468393F9.2030805@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> <468393F9.2030805@delphij.net> Cc: FreeBSD PF Pro List Subject: Re: Flush ICMP and UDP flooders X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 11:00:45 -0000 On 6/28/07, LI Xin wrote: > Abdullah Ibn Hamad Al-Marri wrote: > > Hello, > > > > I would like to block ICMP and UDP flooders who exceed a reasonable number. > > > > #- Rate Limit UDP (150 per host) > > pass proto udp to any port $udp_services keep state > > pass in quick proto udp from any to any \ > > keep state \ > > (max-src-conn 1,max-src-states 151, \ > > overload flush global) > > > > #- Rate Limit ICMP (10 per host) > > pass in quick proto icmp from any to any \ > > keep state \ > > (max-src-conn 1,max-src-states 11, \ > > overload flush global) > > I think ICMP and UDP can have their originating address forged, so this > will effectively construct a true remote triggerable DoS... > > Cheers, > -- > Xin LI http://www.delphij.net/ > FreeBSD - The Power to Serve! Thank you Li, I set antispoof in my pf.conf for the nic, would these rule help or not? do you have suggestions about the values? I run bind on the servers. -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 12:45:22 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6742716A421 for ; Thu, 28 Jun 2007 12:45:22 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.freebsd.org (Postfix) with ESMTP id 1C2A913C484 for ; Thu, 28 Jun 2007 12:45:21 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 298CDEB317F; Thu, 28 Jun 2007 20:45:21 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id TU0WklKkmEJd; Thu, 28 Jun 2007 20:45:09 +0800 (CST) Received: from charlie.delphij.net (unknown [221.219.156.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 379EBEB3348; Thu, 28 Jun 2007 20:45:09 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:cc:subject: references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=DiizMruEDnIjGYEGCiQ2QIcnrGaHDCLaJ7HkUHn4j9DU94jgIqT7TdiQDaftadxz+ y5O+OdG26j/NDMo4M4UvQ== Message-ID: <4683AD50.4020707@delphij.net> Date: Thu, 28 Jun 2007 20:45:04 +0800 From: Xin LI User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: Abdullah Ibn Hamad Al-Marri References: <499c70c0706280328m497a613dg552901c7c9875ed2@mail.gmail.com> <468393F9.2030805@delphij.net> <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> In-Reply-To: <499c70c0706280400p57a0ab78xd3b75d7857bca4b2@mail.gmail.com> X-Enigmail-Version: 0.95.1 OpenPGP: url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: FreeBSD PF Pro List Subject: Re: Flush ICMP and UDP flooders X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 12:45:22 -0000 Abdullah Ibn Hamad Al-Marri wrote: [...] >> I think ICMP and UDP can have their originating address forged, so this >> will effectively construct a true remote triggerable DoS... > > Thank you Li, > > I set antispoof in my pf.conf for the nic, would these rule help or > not? do you have suggestions about the values? I run bind on the > servers. No. antispoof is for other use, to put it simply, let's say that it's something like "Don't bother to handle a packet which should not come from the specified interface". An example of use might be, say, you have two NICs: em0 and em1. em0 is connected to the Internet, and em1 is connected to a private subnet 192.168.0.0/24. The two network are not inter-connected. antispoof on em1 means that if em0 receives a packet which claims to be from 192.168.0.0/24, then drop it. ICMP and UDP protocols are, however, not designed for you to be able to distinguish whether source address is forged. Thus, using state table can be a true DoS sometimes, attacker can just exhaust the table resource and render your network non-responsive. So be careful... Cheers, From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 13:21:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1A5016A469 for ; Thu, 28 Jun 2007 13:21:56 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 1852413C44C for ; Thu, 28 Jun 2007 13:21:53 +0000 (UTC) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o4so104281uge for ; Thu, 28 Jun 2007 06:21:52 -0700 (PDT) Received: by 10.82.175.17 with SMTP id x17mr3783076bue.1183036911771; Thu, 28 Jun 2007 06:21:51 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Thu, 28 Jun 2007 06:21:51 -0700 (PDT) Message-ID: <6e6841490706280621l1ffb48edw437b97fb54b85368@mail.gmail.com> Date: Thu, 28 Jun 2007 10:21:51 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Logs. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 13:21:56 -0000 Hi, I have a firewall using PF, passing more than 20 mbps, but with more than 1500 ips making nat. In my logs I can find: .... Jun 28 07:00:09 teste2 pf: BAD state: TCP 190.84.94.146:3954 190.84.94.146:3954 200.250.23.90:59791 [lo=907875297 high=907940832 win=65535 modulator=0] [lo=600059029 high=600124564 win=65535 modulator=0] 10:10 SA seq=600733653 ack=907875297 len=0 ackskew=0 pkts=4:2 dir=in,rev Jun 28 07:00:09 teste2 pf: State failure on: 1 | 5 Jun 28 07:00:12 teste2 pf: BAD state: TCP 61.228.148.232:21588 61.228.148.232:21588 10.52.15.2:3859 [lo=2649072363 high=2649072365 win=64240 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3741585167 ack=0 len=0 ackskew=0 pkts=1:0 dir=in,fwd Jun 28 07:00:12 teste2 pf: State failure on: 1 | 5 Jun 28 07:00:12 teste2 pf: BAD state: TCP 190.84.94.146:3954 190.84.94.146:3954 200.250.23.90:59791 [lo=907875297 high=907940832 win=65535 modulator=0] [lo=600059029 high=600124564 win=65535 modulator=0] 10:10 SA seq=600733653 ack=907875297 len=0 ackskew=0 pkts=4:2 dir=in,rev Jun 28 07:00:12 teste2 pf: State failure on: 1 | 5 .... And my options in PF: set debug misc set timeout { interval 10, frag 30 ,src.track 0 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 1000000, src-nodes 1000000, frags 50000 } set loginterface em0 set optimization conservative set block-policy drop set require-order yes set state-policy floating Some times it breaks all connections for a fill minutes. I couldn't find any solution about this in internet. Maybe can be some thing in sysctl on my BSD, but what line??? Some body knows what can I do??? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 17:17:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 186DB16A46B for ; Thu, 28 Jun 2007 17:17:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id A253513C4B7 for ; Thu, 28 Jun 2007 17:17:42 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.176.39] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1I3xcg28j8-0006MP; Thu, 28 Jun 2007 19:17:38 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 28 Jun 2007 19:19:25 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <20070604194430.GD21681@registro.br> <200706042200.14860.max@love2party.net> In-Reply-To: <200706042200.14860.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart26291597.Bi16EKtsA2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706281919.41777.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+biTj3SZtZH3kf2QOaWaWJTdd5eGDytI5L9I6 TLSbbGzrEHwGsuJCsLijOubTACpOO64P4s5o9qa9QfYJbGCRlV r4HMHxBljWJn2navEZg0kd1pqY2Kt1NbcN93WGpbrI= Cc: Hugo Koji Kobayashi Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 17:17:43 -0000 --nextPart26291597.Bi16EKtsA2 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 04 June 2007, Max Laier wrote: > Hi again, > > On Monday 04 June 2007, Hugo Koji Kobayashi wrote: > > pf is running on the DNS client machine. The DNS server is on a > > completely different network (I don't control this server). The > > client can send the udp request with no problem (it's a small udp > > datagram; less than 512 bytes), the server sends the udp response > > fragmented, but the client can't receive it. > > > > Please, find attached a new test with the requested information. > > > > udp: > > 36 datagrams received > > 2 with bad checksum > > 34 delivered > > 40 datagrams output > > > > > udp: > > 36 datagrams received > > 3 with bad checksum > > 33 delivered > > 41 datagrams output > > Aha! Can you confirm that "bad checksum" increases for every > fragmented packet and I'll look for a cure. I can't reproduce this. What hardware are you running on? (arch, nic=20 (rx/txcsum), non-standart CFLAGS). Just to confirm I'm testing the right=20 cases, my setup looks like: Host1 Host2 Host3 netsend -> pf scrub -> pf scrub -> netreceive Everthing works as expected with various UDP payloads > MTU. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart26291597.Bi16EKtsA2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGg+2tXyyEoT62BG0RAonoAJ9CsdYETd3u+u6cyHNidkYl21wCVQCeOATp PbMQx7H+zPX0Dh3+umz8l1I= =PIvy -----END PGP SIGNATURE----- --nextPart26291597.Bi16EKtsA2-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 17:44:17 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4BCA16A559 for ; Thu, 28 Jun 2007 17:44:17 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by mx1.freebsd.org (Postfix) with ESMTP id 9EA0113C48A for ; Thu, 28 Jun 2007 17:44:17 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so147522anc for ; Thu, 28 Jun 2007 10:44:16 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=C030bXu8dUZHYnFcRDs6O8CgDCbOqOQB+2mHECQkYscgnKQGqWfJlggy4wIms+4OcxyVxomA+zhyfYE0YiR6vrDNc+qudr4RRxaGtcaygk2L+YPm6b4Ge9xOqL6JHROgp0gAoCwCrfIlFSXeEmqDTb3d5eQluuk+Y5LxHE/UorM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Pyv4UygukJ4pBkX4uSvYKTw8+WRC+PFtgovcz5rkxXGwEoHetJrjrfgCfNz5SV9If9xmvdp8ESmZuHlQoPxr4ux8phCoqlOJ3BBJ5kgI5BsXaP9kkhsdxC0YSLQ8qobIjs5RGTBjx8HqmOFSBK/j38pBFuUKuYACF399MCiCkkw= Received: by 10.100.191.5 with SMTP id o5mr1437306anf.1183052656874; Thu, 28 Jun 2007 10:44:16 -0700 (PDT) Received: from d600 ( [70.109.59.182]) by mx.google.com with ESMTP id c28sm13721587anc.2007.06.28.10.44.14 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Jun 2007 10:44:15 -0700 (PDT) Message-ID: <008201c7b9ab$eabfe820$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Max Laier" , References: <20070528224225.GC40678@registro.br> <20070604194430.GD21681@registro.br> <200706042200.14860.max@love2party.net> <200706281919.41777.max@love2party.net> Date: Thu, 28 Jun 2007 13:44:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-6"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Cc: Hugo Koji Kobayashi Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 17:44:18 -0000 Mine is SmartMicro server, AMD opteron, bge interfaces head /etc/make.conf CPUTYPE=opteron CFLAGS= -O -pipe COPTFLAGS= -O -pipe MAKEOPTS="-j4" bge1: flags=8843 mtu 1500 options=1b inet 192.168.17.1 netmask 0xffffff00 broadcast 192.168.17.255 ether 00:30:48:5c:27:ad media: Ethernet autoselect (1000baseTX ) status: active Host1 Host2 Host3 Amanda server -> PF Scrub -> Amanda client Packets get dropped on host2. Vadym From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 18:07:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A2C4B16A400 for ; Thu, 28 Jun 2007 18:07:43 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id EC9BF13C44B for ; Thu, 28 Jun 2007 18:07:42 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id D31D59589F; Thu, 28 Jun 2007 15:07:41 -0300 (BRT) Date: Thu, 28 Jun 2007 15:07:41 -0300 From: Hugo Koji Kobayashi To: Max Laier Message-ID: <20070628180741.GA7323@registro.br> References: <20070528224225.GC40678@registro.br> <20070604194430.GD21681@registro.br> <200706042200.14860.max@love2party.net> <200706281919.41777.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="0F1p//8PRICkK4MW" Content-Disposition: inline In-Reply-To: <200706281919.41777.max@love2party.net> User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 18:07:43 -0000 --0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Max, On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > On Monday 04 June 2007, Max Laier wrote: > > Hi again, > > > > On Monday 04 June 2007, Hugo Koji Kobayashi wrote: > > > pf is running on the DNS client machine. The DNS server is on a > > > completely different network (I don't control this server). The > > > client can send the udp request with no problem (it's a small udp > > > datagram; less than 512 bytes), the server sends the udp response > > > fragmented, but the client can't receive it. > > > > > > Please, find attached a new test with the requested information. > > > > > > udp: > > > 36 datagrams received > > > 2 with bad checksum > > > 34 delivered > > > 40 datagrams output > > > > > > > > > udp: > > > 36 datagrams received > > > 3 with bad checksum > > > 33 delivered > > > 41 datagrams output > > > > Aha! Can you confirm that "bad checksum" increases for every > > fragmented packet and I'll look for a cure. > > I can't reproduce this. What hardware are you running on? (arch, nic > (rx/txcsum), non-standart CFLAGS). It's a Dell Latitude D610 notebook. dmesg and ifconfig are attached. I have nothing in my /etc/make.conf. > Just to confirm I'm testing the right > cases, my setup looks like: > > Host1 Host2 Host3 > > netsend -> pf scrub -> pf scrub -> netreceive > I'm not sure I understood your setup. Why there are 3 hosts? I think a query should be sth like this: Client[netsend->pf scrub] -> Internet -> DNS server And the response should be: DNS server -> Internet -> Client[pf scrub->netreceive] > > Everthing works as expected with various UDP payloads > MTU. > Are you saying that you're able to receive responses to the following dig command when it's run from a client machine running pf scrub? dig @a.ns.se se dnskey +dnssec +bufsize=4500 This query is supposed to receive a DNS answer of more than 4KB. Thanks, Hugo --0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=dmesg-ifconfig Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.0-CURRENT #1: Tue Jun 19 14:57:32 BRT 2007 root@fbsd7.0:/usr/obj/usr/src/sys/GENERIC WARNING: WITNESS option enabled, expect reduced performance. ACPI APIC Table: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Pentium(R) M processor 2.00GHz (1994.97-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x6d8 Stepping = 8 Features=0xafe9fbff Features2=0x180 AMD Features=0x100000 real memory = 1073549312 (1023 MB) avail memory = 1036935168 (988 MB) Security auditing service present BSM auditing present ioapic0: Changing APIC ID to 1 ioapic0 irqs 0-23 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: on motherboard acpi0: [ITHREAD] acpi0: reservation of 0, 9fc00 (3) failed acpi0: reservation of 100000, 3fed1800 (3) failed Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0 cpu0: on acpi0 acpi_perf0: on cpu0 acpi_perf0: failed in PERF_STATUS attach device_attach: acpi_perf0 attach returned 6 acpi_perf0: on cpu0 acpi_perf0: failed in PERF_STATUS attach device_attach: acpi_perf0 attach returned 6 acpi_throttle0: on cpu0 acpi_acad0: on acpi0 battery0: on acpi0 battery1: on acpi0 acpi_lid0: on acpi0 acpi_button0: on acpi0 acpi_button1: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: at device 1.0 on pci0 pci1: on pcib1 vgapci0: port 0xde00-0xdeff mem 0xd0000000-0xd7ffffff,0xdfdf0000-0xdfdfffff irq 16 at device 0.0 on pci1 pcib2: at device 28.0 on pci0 pci2: on pcib2 pci2:0:0: bad VPD cksum, remain 14 bge0: mem 0xdfcf0000-0xdfcfffff irq 16 at device 0.0 on pci2 miibus0: on bge0 brgphy0: PHY 1 on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge0: Ethernet address: 00:12:3f:15:36:7d bge0: [ITHREAD] uhci0: port 0xbf80-0xbf9f irq 16 at device 29.0 on pci0 uhci0: [GIANT-LOCKED] uhci0: [ITHREAD] usb0: on uhci0 usb0: USB revision 1.0 uhub0: on usb0 uhub0: 2 ports with 2 removable, self powered uhci1: port 0xbf60-0xbf7f irq 17 at device 29.1 on pci0 uhci1: [GIANT-LOCKED] uhci1: [ITHREAD] usb1: on uhci1 usb1: USB revision 1.0 uhub1: on usb1 uhub1: 2 ports with 2 removable, self powered uhci2: port 0xbf40-0xbf5f irq 18 at device 29.2 on pci0 uhci2: [GIANT-LOCKED] uhci2: [ITHREAD] usb2: on uhci2 usb2: USB revision 1.0 uhub2: on usb2 uhub2: 2 ports with 2 removable, self powered uhci3: port 0xbf20-0xbf3f irq 19 at device 29.3 on pci0 uhci3: [GIANT-LOCKED] uhci3: [ITHREAD] usb3: on uhci3 usb3: USB revision 1.0 uhub3: on usb3 uhub3: 2 ports with 2 removable, self powered ehci0: mem 0xffa80800-0xffa80bff irq 16 at device 29.7 on pci0 ehci0: [GIANT-LOCKED] ehci0: [ITHREAD] usb4: EHCI version 1.0 usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3 usb4: on ehci0 usb4: USB revision 2.0 uhub4: on usb4 uhub4: 8 ports with 8 removable, self powered pcib3: at device 30.0 on pci0 pci3: on pcib3 cbb0: at device 1.0 on pci3 cardbus0: on cbb0 pccard0: <16-bit PCCard bus> on cbb0 cbb0: [ITHREAD] pci3: at device 1.5 (no driver attached) pci3: at device 3.0 (no driver attached) pci0: at device 30.2 (no driver attached) isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xbfa0-0xbfaf irq 17 at device 31.2 on pci0 ata0: on atapci0 ata0: [ITHREAD] ata1: on atapci0 ata1: [ITHREAD] acpi_tz0: on acpi0 atkbdc0: port 0x60,0x64,0x62,0x66 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: [ITHREAD] psm0: model GlidePoint, device ID 0 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio0: [FILTER] sio1 port 0x2f8-0x2ff,0x280-0x287 irq 3 drq 3 on acpi0 sio1: type 16550A sio1: [FILTER] pmtimer0 on isa0 orm0: at iomem 0xc0000-0xcffff pnpid ORM0000 on isa0 ppc0: at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold ppbus0: on ppc0 plip0: on ppbus0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 ppc0: [GIANT-LOCKED] ppc0: [ITHREAD] sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 ugen0: on uhub1 Timecounter "TSC" frequency 1994973610 Hz quality 800 Timecounters tick every 1.000 msec ad0: 76319MB at ata0-master UDMA100 acd0: DVDR at ata1-master UDMA33 WARNING: WITNESS option enabled, expect reduced performance. Trying to mount root from ufs:/dev/ad0s2a bge0: link state changed to UP bge0: flags=8843 metric 0 mtu 1500 options=9b ether 00:12:3f:15:36:7d inet xxx.xxx.xxx.xxx netmask 0xffffffc0 broadcast xxx.xxx.xxx.xxx media: Ethernet autoselect (1000baseTX ) status: active plip0: flags=108810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141 metric 0 mtu 33204 --0F1p//8PRICkK4MW-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 18:20:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1EB9216A400 for ; Thu, 28 Jun 2007 18:20:37 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243]) by mx1.freebsd.org (Postfix) with ESMTP id CD39413C484 for ; Thu, 28 Jun 2007 18:20:36 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so150279anc for ; Thu, 28 Jun 2007 11:20:36 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=SPA+AslEp8lyWvA2w7MR6UhEby1yH2qf7gm7dzIj9Twtm2w1Z7UwLP5zflbgw058EdoEvoQXJWPwVZ3pHH7VOXu5guSpLu3K2nJEIzwA1tj8XE1cW7lz1gpl3ij7C7QCFUcaBZD16e+ppQv5Dyq7bilWPzc+fAOYV+4kk04+M5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Ht9F21WKvmCimcetY2OcxybmcU4oRGr4+/r4+macn0oiHFQaGPnJv8sTAShA9NdiExEiiRCklGP0qh960rTuc1LJU2JxvSw/+LpJPfpIkk12wafEg4ZAon4ieChwSefqbsGhnZrpMNubti6HiRkICBfNyoD3Ltgr9tV2xSAG9Bg= Received: by 10.100.165.9 with SMTP id n9mr1501955ane.1183054836100; Thu, 28 Jun 2007 11:20:36 -0700 (PDT) Received: from d600 ( [70.109.59.182]) by mx.google.com with ESMTP id c37sm13745991ana.2007.06.28.11.20.33 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Jun 2007 11:20:34 -0700 (PDT) Message-ID: <008e01c7b9b0$fcabf920$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Hugo Koji Kobayashi" , "Max Laier" References: <20070528224225.GC40678@registro.br> <20070604194430.GD21681@registro.br> <200706042200.14860.max@love2party.net> <200706281919.41777.max@love2party.net> <20070628180741.GA7323@registro.br> Date: Thu, 28 Jun 2007 14:20:18 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 18:20:37 -0000 I concur, this command doesn't work from my server with PF running as well, so it's easily reproducible. > dig @a.ns.se se dnskey +dnssec +bufsize=4500 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 19:32:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1CBA16A421 for ; Thu, 28 Jun 2007 19:32:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 61CA713C480 for ; Thu, 28 Jun 2007 19:32:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.176.39] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1I3zj50To8-0006EQ; Thu, 28 Jun 2007 21:32:23 +0200 From: Max Laier Organization: FreeBSD To: Hugo Koji Kobayashi Date: Thu, 28 Jun 2007 21:34:18 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <200706281919.41777.max@love2party.net> <20070628180741.GA7323@registro.br> In-Reply-To: <20070628180741.GA7323@registro.br> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4081085.hRqvJ6Qa0i"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706282134.26140.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+YQW3voA+l8qfuZ7pFF1OlDs9fjqiIevCMqhu f7q7IvMYGjH+qbh/i5d0wQKmekJgnVIV6dhAgr2aU5myh4hbRr iHjkQPC7zA9yIugDZQ0T57yxDVlz4poEYPXShjsiYY= Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 19:32:29 -0000 --nextPart4081085.hRqvJ6Qa0i Content-Type: multipart/mixed; boundary="Boundary-01=_90AhGTvQx1MY4ib" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_90AhGTvQx1MY4ib Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > Just to confirm I'm testing the right > > cases, my setup looks like: > > > > Host1 Host2 Host3 > > > > netsend -> pf scrub -> pf scrub -> netreceive > > I'm not sure I understood your setup. Why there are 3 hosts? In order to test scrub on forward and receiver at the same time (but=20 taking Host2 out of the stream doesn't change the result). > I think a query should be sth like this: > > Client[netsend->pf scrub] -> Internet -> DNS server > > And the response should be: > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > Everthing works as expected with various UDP payloads > MTU. > > Are you saying that you're able to receive responses to the following > dig command when it's run from a client machine running pf scrub? > > dig @a.ns.se se dnskey +dnssec +bufsize=3D4500 > > This query is supposed to receive a DNS answer of more than 4KB. See the attached script I did just now. The only thing common about your setup seems to be the bge(4) NIC. Can=20 you try disabling hardware checksumming (ifconfig -txcsum -rxcsum)? My=20 test is over a hardware checksumming fxp(4) card, though. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_90AhGTvQx1MY4ib Content-Type: text/plain; charset="iso-8859-6"; name="udpfrag.col" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="udpfrag.col" Script started on Thu Jun 28 21:20:28 2007 21:20 amd64# dmesg > pre.dig 21:20 amd64# echo "scrub in" | pfctl -ef- pf enabled 21:20 amd64# dmesg > pre.dig 21:21 amd64# pfctl -sr scrub in all fragment reassemble 21:21 amd64# pfctl -xm debug level set to 'misc' 21:21 amd64# dig @a.ns.se se dnskey +dnssec +bufsize=4500 ; <<>> DiG 9.4.1 <<>> @a.ns.se se dnskey +dnssec +bufsize=4500 ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43979 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 10, ADDITIONAL: 24 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;se. IN DNSKEY ;; ANSWER SECTION: se. 3600 IN DNSKEY 257 3 5 AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe3Y 9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbbOTcM 8pwXlj0EiX3oDFVmjHO444gLkBOUKUf/mC7HvfwYH/Be22GnClrinKJp 1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt8lgnyTUHs 1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/buvF4qJCydui eHukuY3H4XMAcR+xia2nIUPvm/oyWR8BW/hWdzOvnSCThlHf3xiYleDb t/o1OTQ09A0= se. 3600 IN DNSKEY 257 3 5 AwEAAb6xRZHEf+PyF5dxEvz0BHEHbziu6iZaiNW/yjSaZcmrmZiRMF8F PppD+XuKSau0rgu4eBwYdpkEoMVR4FhI8frkuPHIue2LP1ETo+2hCrdr 60K1538yLvzbOhMxXt6knjPN+OlalMmCknadaofKga5FLKOPQs2C3nw6 AH4WUNGrchmDMVBwRwfZdQXYZTXesqULmGMK7mwjQGOxerRDQWrFv8Nh NnVV31PihaYBdQ1TJjvfGS/FYZJwv/BddiELiLeUnNWu3AOsRAshgOcD BOAPUvKJNEq6RHELFmvXOOe2d8H2yzv02EMQik6GwUm16DrSdmX+SWfe lQs+9ELFN6k= se. 3600 IN DNSKEY 256 3 5 AwEAAbhCVInOCVKWoaeWFmCHfO0SW4MAEWiM2MrbR6q1fclgAa04Lkqu c2Lp1xQ1ssO7rDYDLf8Uhe6EU6Xs56mRS5ZhHGiWwozrY4duxyAaYQUo d6LuH0u5Q0VRUs5Yv5hh9YvVxR1iclbQleg6NDVVeMQU4lFWOnHbP6Md 2SNWptVV se. 3600 IN DNSKEY 256 3 5 AwEAAcWT6tpmgKhM53EgomdSmbai1MRzj0bA6wWfmkFRU7wkNgKAP/Z+ 2Lc80W0EmNBwaT5mi2QDqKXCMXS4GgxNCNg5nOAgdcS2XqGYPFYNkETW iTtjnO3MPSZb4i77BEpAP2OtbazmRBAeYVNYV61X8o6X3H808b4mRIFF VBeMacsR se. 3600 IN DNSKEY 256 3 5 AwEAAc3n4vV7f6TbRjSpfADcIBn+MDqzuFUo+s3b85wC8Tp+d1EDlLPF /5GIR4Y3P+8u1OpPKuCCzurvfics/HiGQU3Jkv3wlFP5cZLBSpCiwazY 253uJwXpItS+liP6AK+kOOwsEWTYxG6vvBodm/ASTbqs2FqokFTPLW74 lTOp51a5 se. 3600 IN RRSIG DNSKEY 5 1 3600 20070704234724 20070628060616 55323 se. YXrv/m8r7cJgBXvI8RSGWnijl+P+5e+zrYeeIaBVKZkgAA3kt4+F16h7 hlEG/WBRR45lQUk+0A79hly/MkXQ11TgoJWd18t6YLDrkYkzL7Mu8XhU ohyTcXowVjICf8GjYwROofql2Gavb1ixsWu8HDj1V9PfOc5y7xdiPzFg Fnc= se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 6166 se. HAhEV9y1pe52qxK5kwkYQtGQr7uyJgfONWUbiY/j1sJLL4O9jP9TEP+d 5dNaPodc67IOChQ4kxqVDieqlHns7NsVA8yu2TaQkujS9jfp5fgewhlE 5NFEdBgsn1HZJXlAW+OtxqDYvNVien0072XNkGXpc5GtWpA2b6ky1aZ5 RAZHAoXO1gFa1qRdXlcsvLzdpe/SglFHCLCcfW3cSoVgRTfHGwQbncjg Qjg6ldDvZYpHYLZE/jMxh7BVzUxRugAx0PpGn4D3n/Y8dfUBTRU3f9El b+7NRyvSaFwXEx3OfPpAN4fmB0PUhWcuT02XPYL6zYYkW7b5Y5kr0mgf aoBasQ== se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 17686 se. nhpLK0Vt+CSH6GqIBbbNigrx2WivrH14tgXfAYhjMM5bnuTXHaYvmgJ9 1pjxgK8rAVJu2VOCapXyVonEK9hCUCsN7IjENgUdDrjwiWP7ECIU3zqa eI3bjpEEgp3ZLEuVrfARkvyv29quztcbiATLxLHjRtu6V4K7riCCch8B zVo7v8FyXbpCNf3u4ixNe6vpouAQbAUQeyGc+MIdzdhLfzcHFLbBtq1a YTTiOP6PtxVsCyUomuV9P0yOoM4pmpfTPR26Nu50E5yRxTAh83a2zckJ FlSyGYM3thCZwlLzjQyNPcARb/LU2HgX+2/Cqpymg3IVeLvMV2C5i0Q0 B0RYgQ== ;; AUTHORITY SECTION: se. 172800 IN NS f.ns.se. se. 172800 IN NS g.ns.se. se. 172800 IN NS h.ns.se. se. 172800 IN NS i.ns.se. se. 172800 IN NS a.ns.se. se. 172800 IN NS b.ns.se. se. 172800 IN NS c.ns.se. se. 172800 IN NS d.ns.se. se. 172800 IN NS e.ns.se. se. 172800 IN RRSIG NS 5 1 172800 20070704040612 20070628160615 55323 se. Jkngk4Hw3xbuo0sJynmKBhcFWJdKAgd4XoZLpVc9Vi0NKI7IUdqUY7VN +bGNpGo8oqNN7GkBo46Pk8puIuuyGhmXsaeTGnAC+yreN0T9beJsr+C4 hnIjvIDI926qTj/DE3L7P7fuFrUBCkQWgarKNOT2UZNtTE7+wHP2HiK1 8T4= ;; ADDITIONAL SECTION: a.ns.se. 172800 IN A 192.36.144.107 a.ns.se. 172800 IN AAAA 2001:698:9:301::53 b.ns.se. 172800 IN A 192.36.133.107 c.ns.se. 172800 IN A 192.36.135.107 d.ns.se. 172800 IN A 81.228.8.16 e.ns.se. 172800 IN A 81.228.10.57 f.ns.se. 172800 IN A 192.71.53.53 f.ns.se. 172800 IN AAAA 2a01:280:1:53::53 g.ns.se. 172800 IN A 130.239.5.114 g.ns.se. 172800 IN AAAA 2001:6b0:e:3::1 h.ns.se. 172800 IN A 199.7.49.30 i.ns.se. 172800 IN A 194.146.106.22 a.ns.se. 172800 IN RRSIG A 5 3 172800 20070705081735 20070628160615 55323 se. SSHbBWugXQUNAvh4t3xMgFR0ii7GliFahJNLHNuoZl+RTpgLgBLi7dIx JpxswqXpoiHD9r84TJcpw2RSsK4BHmL009vFual17wQ8kzbTHn7hlLce lJREMWnRUeNDAW1x6VkDlXnqqToftUfXs6U6NhxCUv0rpPuu24qR67lH Wik= a.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704094109 20070628160615 55323 se. Ow9XU/2UbAfqIJ8LFXkdPVPENA7ueLHpa7jai7IjqnpzlPwNDIKbnSKM CQC/fvC55RZQpw1kIU0FsLeyxEukChb7suM242tjjTj1a/aT8mW5aEBh /gQfRHSTAcDuoV4NCn2w85U3OU4FSrr7+z92EM0myZEUyKyJ+ioU31tM cZc= b.ns.se. 172800 IN RRSIG A 5 3 172800 20070704185325 20070628160615 55323 se. h3dnpUyB9gL3ilLJKFFuednhLynv3Qv92Nd3gqD6ryEMqtKlhgaIDYve umH+BnmaR84IS5wy92uwgodkx8l1OGTG3ygsKV8TzSbc2MHDE1M2hwnx 99tbJhfB1kYJrFm0nCeER7SRmmhfrEjbIbdOCjZebufbEU6Yb67pGYmt BBg= c.ns.se. 172800 IN RRSIG A 5 3 172800 20070705123252 20070628160615 55323 se. JgcchMFmx+xfIcne8qlpd4VutOmfooG+jGKDEMpTWoViK6olMp8pIMWh QwwO8Zl5Y1c3eE21Y2gUx10hJb40i6uVnLnFOnVhXewhch6B1SDk7Rac p4fZXuNqG/bCgaWYoorvayhgO42trU+Ci9ini2EciB0JXljg7ABp6v6i 9k0= d.ns.se. 172800 IN RRSIG A 5 3 172800 20070705045153 20070628160615 55323 se. NFHM/OXoEzci4Qt62vIYW9YxGzg4ImooHqgd/FPqmTzsRaT1lq9zGZT0 9z7iOeDwKzqKqdbBPZ6APX6rJj+KnPYe5ROcM2wKYlZFcbJ9OvmJszAr OHaB8pBNI0mP9ZPVV5mRsX/zcaR7gj9FGoMamxLVd9uJgTB33mC2lKA7 21k= e.ns.se. 172800 IN RRSIG A 5 3 172800 20070705050847 20070628160615 55323 se. E5bM0781LqP8mYsvs0c1lQ3Y7rcQYv8clrBj8aHuOXg6y+20DL0CgETO WwviHAqZOU4X6vmz3bq2n0s7ipQblvYXDLCZKq5kIDfEiBUyKMlEqie1 YOckxIdvACaZ1kBlk9+wl9q8CtJB1K72QtLlPS+gyhYlTq9CXGENjHCP S7U= f.ns.se. 172800 IN RRSIG A 5 3 172800 20070704161415 20070628160615 55323 se. lncq+1XHqXhKA7sdTPmjrmSfGELRUTBSIHMQXwWTZlEVz32gvQqAeARt JgKbVpQWgRMmWfclS/oObEO+nJ9Y55ZX1q+f0v/43Sl1fhRu0gVmKxp6 unncN33igSj0gyoasN+nxNx3dWCnEOvTnVlTaaETzDkHrFa7tRGqSQZM 9Ok= f.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704203230 20070628160615 55323 se. k0FH9krK5wBN6ZUXlZcz7kQFyNRRXIluWbotwtSs+NnFOs+A+7vb5Jr1 5UejzTqbIco3hMfqepFoJOeHnINpq4DeDc707mLqTB2lC5Nai/sN8EDz qN4JV6twWUYibnmfcU5EZgafCVex7sOrstmPHMTIIIwVFAnS3LhP86LG agE= g.ns.se. 172800 IN RRSIG A 5 3 172800 20070705154614 20070628160615 55323 se. Yix5IF/G30/nYKCLMb+nhQCD8m4FhBR9AzSdTeccTJH65K3nG9GKkbF6 gXqkR/AuZCFuBdEsxrbDqJJy45yHRbCOLy5OYT7B7QPUjollEW1CvPZZ slnyOnRGsSyrKZuxW0/glkHgO7gEz1f10uknoCyNXMb3mD/Pe0XN2hn4 fDI= g.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704162506 20070628160615 55323 se. ae2vkkPwOHFUCMFICpIJNK2Vpg3yOQIuivKkYCPs7tC/0D7erpLcG1hr E4D92FY7zsNk4agO8Kq1clV5Nl+zKAtbypRADSTGAELHtLl74s6/MFdY xUcp/mHqI9pSc50lysjS3QhVhVji8po8On7TY1IoWgICSncSd1A20fWs w00= h.ns.se. 172800 IN RRSIG A 5 3 172800 20070704141412 20070628160615 55323 se. joAM/dvlx/1LrPdZXpR9er9AUScuTNelbpDz7aig/O4+ZHSS3cFyNEVc aD8jumAwrDA/OGVfutvw6xsR+Bl7RO+RVfDHQOGlB8Ws1McpBtwhtET4 etM0uTpC88mvhRLLPY3fnhhNkum6vGZKOv/aKyz7RStIBtsU7mn0OL2v QlA= ;; Query time: 59 msec ;; SERVER: 192.36.144.107#53(192.36.144.107) ;; WHEN: Thu Jun 28 21:21:57 2007 ;; MSG SIZE rcvd: 4088 21:21 amd64# dmesg > post.dig 21:22 amd64# diff pre.dig post.dig 269a270,274 > pf_normalize_ip: reass frag 48998 @ 0-1480 > pf_normalize_ip: reass frag 48998 @ 1480-2960 > pf_normalize_ip: reass frag 48998 @ 2960-4096 > pf_reassemble: 4096 < 4096? > pf_reassemble: complete: 0xffffff00049c6e00(4116) 21:22 amd64# exit Script done on Thu Jun 28 21:22:05 2007 --Boundary-01=_90AhGTvQx1MY4ib-- --nextPart4081085.hRqvJ6Qa0i Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGhA1CXyyEoT62BG0RAm5YAJ0bU90WRxMFNsOQ2TPro6aiaIlgBQCfZ6Ss pF23Al3LmI81vqHNCj8MJhI= =YU9g -----END PGP SIGNATURE----- --nextPart4081085.hRqvJ6Qa0i-- From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 19:44:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C139A16A421 for ; Thu, 28 Jun 2007 19:44:37 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 6EEE713C4C1 for ; Thu, 28 Jun 2007 19:44:37 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so157488anc for ; Thu, 28 Jun 2007 12:44:36 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=iwRsnwF1RMVWaVIzQhL2EoCkgAuaKbFc0m+3EwUI0BkIVC7bRH4Fsa7L8UWoJPFt3dxAKDabkQG/gvYdMxl8gvo8Z3XLKYZKwcBtZMGF8DiCuGPX4yWHmpeWzB74eOaKSqdvWiT3222+bgkdWGhsRbgoepFW1KtMLaNtyC8F+D8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=BMMgxB2W9lctgnHjfG6thdf7nAnPRO/IC/GS1Y+StAIT1GtvE0eYXbvKjVNn+Q5GJ6fl5rw4MS/B36xCo7IE55VVpt4DYA61cKWf65yCrLeJA4NKWfwh4asMTY3hx15fTJ83RTkbpnxlZrFt71HBg5LztpSgTLcSa2WYJF0R6jI= Received: by 10.100.14.19 with SMTP id 19mr1607508ann.1183059876693; Thu, 28 Jun 2007 12:44:36 -0700 (PDT) Received: from d600 ( [70.109.59.182]) by mx.google.com with ESMTP id c14sm13864201ana.2007.06.28.12.44.35 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Jun 2007 12:44:36 -0700 (PDT) Message-ID: <009f01c7b9bc$b7a3bd20$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Max Laier" , "Hugo Koji Kobayashi" References: <20070528224225.GC40678@registro.br> <200706281919.41777.max@love2party.net> <20070628180741.GA7323@registro.br> <200706282134.26140.max@love2party.net> Date: Thu, 28 Jun 2007 15:44:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-6"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 19:44:37 -0000 Yes, this eliminated the issue. Bug in bge driver? ----- Original Message ----- From: "Max Laier" To: "Hugo Koji Kobayashi" Cc: ; "Vadym Chepkov" Sent: Thursday, June 28, 2007 3:34 PM Subject: Re: udp fragmentation On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > Just to confirm I'm testing the right > > cases, my setup looks like: > > > > Host1 Host2 Host3 > > > > netsend -> pf scrub -> pf scrub -> netreceive > > I'm not sure I understood your setup. Why there are 3 hosts? In order to test scrub on forward and receiver at the same time (but taking Host2 out of the stream doesn't change the result). > I think a query should be sth like this: > > Client[netsend->pf scrub] -> Internet -> DNS server > > And the response should be: > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > Everthing works as expected with various UDP payloads > MTU. > > Are you saying that you're able to receive responses to the following > dig command when it's run from a client machine running pf scrub? > > dig @a.ns.se se dnskey +dnssec +bufsize=4500 > > This query is supposed to receive a DNS answer of more than 4KB. See the attached script I did just now. The only thing common about your setup seems to be the bge(4) NIC. Can you try disabling hardware checksumming (ifconfig -txcsum -rxcsum)? My test is over a hardware checksumming fxp(4) card, though. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------------------------------------------------------------------------- > Script started on Thu Jun 28 21:20:28 2007 > 21:20 amd64# dmesg > pre.dig > 21:20 amd64# echo "scrub in" | pfctl -ef- > pf enabled > 21:20 amd64# dmesg > pre.dig > 21:21 amd64# pfctl -sr > scrub in all fragment reassemble > 21:21 amd64# pfctl -xm > debug level set to 'misc' > 21:21 amd64# dig @a.ns.se se dnskey +dnssec +bufsize=4500 > > ; <<>> DiG 9.4.1 <<>> @a.ns.se se dnskey +dnssec +bufsize=4500 > ; (2 servers found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43979 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 10, ADDITIONAL: 24 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;se. IN DNSKEY > > ;; ANSWER SECTION: > se. 3600 IN DNSKEY 257 3 5 > AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe3Y > 9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbbOTcM > 8pwXlj0EiX3oDFVmjHO444gLkBOUKUf/mC7HvfwYH/Be22GnClrinKJp > 1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt8lgnyTUHs > 1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/buvF4qJCydui > eHukuY3H4XMAcR+xia2nIUPvm/oyWR8BW/hWdzOvnSCThlHf3xiYleDb t/o1OTQ09A0= > se. 3600 IN DNSKEY 257 3 5 > AwEAAb6xRZHEf+PyF5dxEvz0BHEHbziu6iZaiNW/yjSaZcmrmZiRMF8F > PppD+XuKSau0rgu4eBwYdpkEoMVR4FhI8frkuPHIue2LP1ETo+2hCrdr > 60K1538yLvzbOhMxXt6knjPN+OlalMmCknadaofKga5FLKOPQs2C3nw6 > AH4WUNGrchmDMVBwRwfZdQXYZTXesqULmGMK7mwjQGOxerRDQWrFv8Nh > NnVV31PihaYBdQ1TJjvfGS/FYZJwv/BddiELiLeUnNWu3AOsRAshgOcD > BOAPUvKJNEq6RHELFmvXOOe2d8H2yzv02EMQik6GwUm16DrSdmX+SWfe lQs+9ELFN6k= > se. 3600 IN DNSKEY 256 3 5 > AwEAAbhCVInOCVKWoaeWFmCHfO0SW4MAEWiM2MrbR6q1fclgAa04Lkqu > c2Lp1xQ1ssO7rDYDLf8Uhe6EU6Xs56mRS5ZhHGiWwozrY4duxyAaYQUo > d6LuH0u5Q0VRUs5Yv5hh9YvVxR1iclbQleg6NDVVeMQU4lFWOnHbP6Md 2SNWptVV > se. 3600 IN DNSKEY 256 3 5 > AwEAAcWT6tpmgKhM53EgomdSmbai1MRzj0bA6wWfmkFRU7wkNgKAP/Z+ > 2Lc80W0EmNBwaT5mi2QDqKXCMXS4GgxNCNg5nOAgdcS2XqGYPFYNkETW > iTtjnO3MPSZb4i77BEpAP2OtbazmRBAeYVNYV61X8o6X3H808b4mRIFF VBeMacsR > se. 3600 IN DNSKEY 256 3 5 > AwEAAc3n4vV7f6TbRjSpfADcIBn+MDqzuFUo+s3b85wC8Tp+d1EDlLPF > /5GIR4Y3P+8u1OpPKuCCzurvfics/HiGQU3Jkv3wlFP5cZLBSpCiwazY > 253uJwXpItS+liP6AK+kOOwsEWTYxG6vvBodm/ASTbqs2FqokFTPLW74 lTOp51a5 > se. 3600 IN RRSIG DNSKEY 5 1 3600 20070704234724 20070628060616 55323 se. > YXrv/m8r7cJgBXvI8RSGWnijl+P+5e+zrYeeIaBVKZkgAA3kt4+F16h7 > hlEG/WBRR45lQUk+0A79hly/MkXQ11TgoJWd18t6YLDrkYkzL7Mu8XhU > ohyTcXowVjICf8GjYwROofql2Gavb1ixsWu8HDj1V9PfOc5y7xdiPzFg Fnc= > se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 6166 se. > HAhEV9y1pe52qxK5kwkYQtGQr7uyJgfONWUbiY/j1sJLL4O9jP9TEP+d > 5dNaPodc67IOChQ4kxqVDieqlHns7NsVA8yu2TaQkujS9jfp5fgewhlE > 5NFEdBgsn1HZJXlAW+OtxqDYvNVien0072XNkGXpc5GtWpA2b6ky1aZ5 > RAZHAoXO1gFa1qRdXlcsvLzdpe/SglFHCLCcfW3cSoVgRTfHGwQbncjg > Qjg6ldDvZYpHYLZE/jMxh7BVzUxRugAx0PpGn4D3n/Y8dfUBTRU3f9El > b+7NRyvSaFwXEx3OfPpAN4fmB0PUhWcuT02XPYL6zYYkW7b5Y5kr0mgf aoBasQ== > se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 17686 se. > nhpLK0Vt+CSH6GqIBbbNigrx2WivrH14tgXfAYhjMM5bnuTXHaYvmgJ9 > 1pjxgK8rAVJu2VOCapXyVonEK9hCUCsN7IjENgUdDrjwiWP7ECIU3zqa > eI3bjpEEgp3ZLEuVrfARkvyv29quztcbiATLxLHjRtu6V4K7riCCch8B > zVo7v8FyXbpCNf3u4ixNe6vpouAQbAUQeyGc+MIdzdhLfzcHFLbBtq1a > YTTiOP6PtxVsCyUomuV9P0yOoM4pmpfTPR26Nu50E5yRxTAh83a2zckJ > FlSyGYM3thCZwlLzjQyNPcARb/LU2HgX+2/Cqpymg3IVeLvMV2C5i0Q0 B0RYgQ== > > ;; AUTHORITY SECTION: > se. 172800 IN NS f.ns.se. > se. 172800 IN NS g.ns.se. > se. 172800 IN NS h.ns.se. > se. 172800 IN NS i.ns.se. > se. 172800 IN NS a.ns.se. > se. 172800 IN NS b.ns.se. > se. 172800 IN NS c.ns.se. > se. 172800 IN NS d.ns.se. > se. 172800 IN NS e.ns.se. > se. 172800 IN RRSIG NS 5 1 172800 20070704040612 20070628160615 55323 se. > Jkngk4Hw3xbuo0sJynmKBhcFWJdKAgd4XoZLpVc9Vi0NKI7IUdqUY7VN > +bGNpGo8oqNN7GkBo46Pk8puIuuyGhmXsaeTGnAC+yreN0T9beJsr+C4 > hnIjvIDI926qTj/DE3L7P7fuFrUBCkQWgarKNOT2UZNtTE7+wHP2HiK1 8T4= > > ;; ADDITIONAL SECTION: > a.ns.se. 172800 IN A 192.36.144.107 > a.ns.se. 172800 IN AAAA 2001:698:9:301::53 > b.ns.se. 172800 IN A 192.36.133.107 > c.ns.se. 172800 IN A 192.36.135.107 > d.ns.se. 172800 IN A 81.228.8.16 > e.ns.se. 172800 IN A 81.228.10.57 > f.ns.se. 172800 IN A 192.71.53.53 > f.ns.se. 172800 IN AAAA 2a01:280:1:53::53 > g.ns.se. 172800 IN A 130.239.5.114 > g.ns.se. 172800 IN AAAA 2001:6b0:e:3::1 > h.ns.se. 172800 IN A 199.7.49.30 > i.ns.se. 172800 IN A 194.146.106.22 > a.ns.se. 172800 IN RRSIG A 5 3 172800 20070705081735 20070628160615 55323 > se. SSHbBWugXQUNAvh4t3xMgFR0ii7GliFahJNLHNuoZl+RTpgLgBLi7dIx > JpxswqXpoiHD9r84TJcpw2RSsK4BHmL009vFual17wQ8kzbTHn7hlLce > lJREMWnRUeNDAW1x6VkDlXnqqToftUfXs6U6NhxCUv0rpPuu24qR67lH Wik= > a.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704094109 20070628160615 > 55323 se. Ow9XU/2UbAfqIJ8LFXkdPVPENA7ueLHpa7jai7IjqnpzlPwNDIKbnSKM > CQC/fvC55RZQpw1kIU0FsLeyxEukChb7suM242tjjTj1a/aT8mW5aEBh > /gQfRHSTAcDuoV4NCn2w85U3OU4FSrr7+z92EM0myZEUyKyJ+ioU31tM cZc= > b.ns.se. 172800 IN RRSIG A 5 3 172800 20070704185325 20070628160615 55323 > se. h3dnpUyB9gL3ilLJKFFuednhLynv3Qv92Nd3gqD6ryEMqtKlhgaIDYve > umH+BnmaR84IS5wy92uwgodkx8l1OGTG3ygsKV8TzSbc2MHDE1M2hwnx > 99tbJhfB1kYJrFm0nCeER7SRmmhfrEjbIbdOCjZebufbEU6Yb67pGYmt BBg= > c.ns.se. 172800 IN RRSIG A 5 3 172800 20070705123252 20070628160615 55323 > se. JgcchMFmx+xfIcne8qlpd4VutOmfooG+jGKDEMpTWoViK6olMp8pIMWh > QwwO8Zl5Y1c3eE21Y2gUx10hJb40i6uVnLnFOnVhXewhch6B1SDk7Rac > p4fZXuNqG/bCgaWYoorvayhgO42trU+Ci9ini2EciB0JXljg7ABp6v6i 9k0= > d.ns.se. 172800 IN RRSIG A 5 3 172800 20070705045153 20070628160615 55323 > se. NFHM/OXoEzci4Qt62vIYW9YxGzg4ImooHqgd/FPqmTzsRaT1lq9zGZT0 > 9z7iOeDwKzqKqdbBPZ6APX6rJj+KnPYe5ROcM2wKYlZFcbJ9OvmJszAr > OHaB8pBNI0mP9ZPVV5mRsX/zcaR7gj9FGoMamxLVd9uJgTB33mC2lKA7 21k= > e.ns.se. 172800 IN RRSIG A 5 3 172800 20070705050847 20070628160615 55323 > se. E5bM0781LqP8mYsvs0c1lQ3Y7rcQYv8clrBj8aHuOXg6y+20DL0CgETO > WwviHAqZOU4X6vmz3bq2n0s7ipQblvYXDLCZKq5kIDfEiBUyKMlEqie1 > YOckxIdvACaZ1kBlk9+wl9q8CtJB1K72QtLlPS+gyhYlTq9CXGENjHCP S7U= > f.ns.se. 172800 IN RRSIG A 5 3 172800 20070704161415 20070628160615 55323 > se. lncq+1XHqXhKA7sdTPmjrmSfGELRUTBSIHMQXwWTZlEVz32gvQqAeARt > JgKbVpQWgRMmWfclS/oObEO+nJ9Y55ZX1q+f0v/43Sl1fhRu0gVmKxp6 > unncN33igSj0gyoasN+nxNx3dWCnEOvTnVlTaaETzDkHrFa7tRGqSQZM 9Ok= > f.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704203230 20070628160615 > 55323 se. k0FH9krK5wBN6ZUXlZcz7kQFyNRRXIluWbotwtSs+NnFOs+A+7vb5Jr1 > 5UejzTqbIco3hMfqepFoJOeHnINpq4DeDc707mLqTB2lC5Nai/sN8EDz > qN4JV6twWUYibnmfcU5EZgafCVex7sOrstmPHMTIIIwVFAnS3LhP86LG agE= > g.ns.se. 172800 IN RRSIG A 5 3 172800 20070705154614 20070628160615 55323 > se. Yix5IF/G30/nYKCLMb+nhQCD8m4FhBR9AzSdTeccTJH65K3nG9GKkbF6 > gXqkR/AuZCFuBdEsxrbDqJJy45yHRbCOLy5OYT7B7QPUjollEW1CvPZZ > slnyOnRGsSyrKZuxW0/glkHgO7gEz1f10uknoCyNXMb3mD/Pe0XN2hn4 fDI= > g.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704162506 20070628160615 > 55323 se. ae2vkkPwOHFUCMFICpIJNK2Vpg3yOQIuivKkYCPs7tC/0D7erpLcG1hr > E4D92FY7zsNk4agO8Kq1clV5Nl+zKAtbypRADSTGAELHtLl74s6/MFdY > xUcp/mHqI9pSc50lysjS3QhVhVji8po8On7TY1IoWgICSncSd1A20fWs w00= > h.ns.se. 172800 IN RRSIG A 5 3 172800 20070704141412 20070628160615 55323 > se. joAM/dvlx/1LrPdZXpR9er9AUScuTNelbpDz7aig/O4+ZHSS3cFyNEVc > aD8jumAwrDA/OGVfutvw6xsR+Bl7RO+RVfDHQOGlB8Ws1McpBtwhtET4 > etM0uTpC88mvhRLLPY3fnhhNkum6vGZKOv/aKyz7RStIBtsU7mn0OL2v QlA= > > ;; Query time: 59 msec > ;; SERVER: 192.36.144.107#53(192.36.144.107) > ;; WHEN: Thu Jun 28 21:21:57 2007 > ;; MSG SIZE rcvd: 4088 > > 21:21 amd64# dmesg > post.dig > 21:22 amd64# diff pre.dig post.dig > 269a270,274 >> pf_normalize_ip: reass frag 48998 @ 0-1480 >> pf_normalize_ip: reass frag 48998 @ 1480-2960 >> pf_normalize_ip: reass frag 48998 @ 2960-4096 >> pf_reassemble: 4096 < 4096? >> pf_reassemble: complete: 0xffffff00049c6e00(4116) > 21:22 amd64# exit > > Script done on Thu Jun 28 21:22:05 2007 > From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 19:47:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3478D16A46D for ; Thu, 28 Jun 2007 19:47:24 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id ECAD713C455 for ; Thu, 28 Jun 2007 19:47:23 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id BBEC69583A; Thu, 28 Jun 2007 16:47:22 -0300 (BRT) Date: Thu, 28 Jun 2007 16:47:22 -0300 From: Hugo Koji Kobayashi To: Max Laier Message-ID: <20070628194722.GB63196@registro.br> References: <20070528224225.GC40678@registro.br> <200706281919.41777.max@love2party.net> <20070628180741.GA7323@registro.br> <200706282134.26140.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200706282134.26140.max@love2party.net> User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 19:47:24 -0000 On Thu, Jun 28, 2007 at 09:34:18PM +0200, Max Laier wrote: > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > dig @a.ns.se se dnskey +dnssec +bufsize=4500 > > > > This query is supposed to receive a DNS answer of more than 4KB. > > See the attached script I did just now. > > The only thing common about your setup seems to be the bge(4) NIC. Can > you try disabling hardware checksumming (ifconfig -txcsum -rxcsum)? My > test is over a hardware checksumming fxp(4) card, though. It worked when disabling hardware checksumming: fbsd7# ifconfig bge0 bge0: flags=8843 metric 0 mtu 1500 options=9b ether 00:12:3f:15:36:7d inet 200.160.3.113 netmask 0xffffffc0 broadcast 200.160.3.127 media: Ethernet autoselect (1000baseTX ) status: active fbsd7# dig @a.ns.se se dnskey +dnssec +bufsize=4500 ; <<>> DiG 9.4.1 <<>> @a.ns.se se dnskey +dnssec +bufsize=4500 ; (2 servers found) ;; global options: printcmd ;; connection timed out; no servers could be reached fbsd7# ifconfig bge0 -txcsum fbsd7# ifconfig bge0 bge0: flags=8843 metric 0 mtu 1500 options=98 ether 00:12:3f:15:36:7d inet 200.160.3.113 netmask 0xffffffc0 broadcast 200.160.3.127 media: Ethernet autoselect (1000baseTX ) status: active fbsd7# dig @a.ns.se se dnskey +dnssec +bufsize=4500 | tail -5 ;; Query time: 243 msec ;; SERVER: 192.36.144.107#53(192.36.144.107) ;; WHEN: Thu Jun 28 16:46:49 2007 ;; MSG SIZE rcvd: 4088 From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 20:54:09 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3A7E216A46C for ; Thu, 28 Jun 2007 20:54:09 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id C207E13C457 for ; Thu, 28 Jun 2007 20:54:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.176.39] (helo=[192.168.4.160]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1I41083Iaw-00046x; Thu, 28 Jun 2007 22:54:05 +0200 From: Max Laier Organization: FreeBSD To: "Vadym Chepkov" Date: Thu, 28 Jun 2007 22:56:01 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <200706282134.26140.max@love2party.net> <009f01c7b9bc$b7a3bd20$c40a0a0a@chepkov.lan> In-Reply-To: <009f01c7b9bc$b7a3bd20$c40a0a0a@chepkov.lan> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1649234.KhUMJNcvLm"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706282256.10397.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+wrEuEq65N+rvGdnk8bfxaXD+qaTmsPA8uXoH 0Xv9AC2vrjysesY60nB/1WJKThLzNDq5sl1PrWjV8vSAAcv2Ep L9rgypC5QRUgQjUZ+d56iB2MJK5BAZ8AFWAp8RJweM= Cc: Hugo Koji Kobayashi , freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 20:54:09 -0000 --nextPart1649234.KhUMJNcvLm Content-Type: multipart/mixed; boundary="Boundary-01=_jBChGvBpz/2jKbS" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_jBChGvBpz/2jKbS Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Please don't top post, fixed ] On Thursday 28 June 2007, Vadym Chepkov wrote: > From: "Max Laier" , Thursday, June 28, 2007 3:34 PM > > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > > > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > > > Just to confirm I'm testing the right > > > > cases, my setup looks like: > > > > > > > > Host1 Host2 Host3 > > > > > > > > netsend -> pf scrub -> pf scrub -> netreceive > > > > > > I'm not sure I understood your setup. Why there are 3 hosts? > > > > In order to test scrub on forward and receiver at the same time (but > > taking Host2 out of the stream doesn't change the result). > > > > > I think a query should be sth like this: > > > > > > Client[netsend->pf scrub] -> Internet -> DNS server > > > > > > And the response should be: > > > > > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > > > > > Everthing works as expected with various UDP payloads > MTU. > > > > > > Are you saying that you're able to receive responses to the > > > following dig command when it's run from a client machine running > > > pf scrub? > > > > > > dig @a.ns.se se dnskey +dnssec +bufsize=3D4500 > > > > > > This query is supposed to receive a DNS answer of more than 4KB. > > > > See the attached script I did just now. > > > > The only thing common about your setup seems to be the bge(4) NIC.=20 > > Can you try disabling hardware checksumming (ifconfig -txcsum > > -rxcsum)? My test is over a hardware checksumming fxp(4) card, > > though. > > Yes, this eliminated the issue. Bug in bge driver? Kind of - the driver claims to have done UDP checksum testing on the=20 fragment (which is impossible). The attached patch should fix the issue=20 for bge(4) and any other similar NIC. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_jBChGvBpz/2jKbS Content-Type: text/x-diff; charset="iso-8859-6"; name="frag_csum.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="frag_csum.diff" Index: pf_norm.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_norm.c,v retrieving revision 1.17 diff -u -r1.17 pf_norm.c =2D-- pf_norm.c 25 Mar 2006 21:15:25 -0000 1.17 +++ pf_norm.c 28 Jun 2007 20:49:33 -0000 @@ -411,6 +411,11 @@ /* Strip off ip header */ m->m_data +=3D hlen; m->m_len -=3D hlen; +#ifdef __FreeBSD__ + /* Checksum is not applicable to the reassembled packet */ + m->m_pkthdr.csum_flags &=3D ~(CSUM_IP_CHECKED | CSUM_IP_VALID |=20 + CSUM_DATA_VALID | CSUM_PSEUDO_HDR); +#endif =20 /* Create a new reassembly queue for this packet */ if (*frag =3D=3D NULL) { --Boundary-01=_jBChGvBpz/2jKbS-- --nextPart1649234.KhUMJNcvLm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGhCBqXyyEoT62BG0RAourAJ49FbP63nxiFrHGGL2T1YdG4NJJnACeMesC GPdZulUbQfCL9NdWAiW1j/E= =ZvGF -----END PGP SIGNATURE----- --nextPart1649234.KhUMJNcvLm-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 00:30:51 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD1C216A469 for ; Fri, 29 Jun 2007 00:30:51 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id ACCCE13C480 for ; Fri, 29 Jun 2007 00:30:51 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: by wa-out-1112.google.com with SMTP id j37so977481waf for ; Thu, 28 Jun 2007 17:30:51 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:received:date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=S6ZdG4hJubBshV7HNThdbYlhx6RTNL0iWUPY2qWKsW8YpVna+Rv+npfZMn4sL0WFw/ejOYNPX8dWDtGKOiiMhEMreuaAaCX465A8PlBM+6qmGTW0xvB8P8a36yxg5Hr+6VARTwF9ytIHi6fgWzMOryT7y+2RGVp93XPLweKL/W8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=bfBbdYH/PM/5gsNBU4qEMq3pVMhIsecEeiTRPHVI/x0OTkVwdXF9zGWY3U5sNihE85MDyfc4DA6/hzP44Q0NRnP481Bv96//5+r7RZTmCmd9Xoyoo3Ysqv/RnDsRiNbweMgrtVub9y3pMgP8owdkF078lS6GccB5WMlmG1JaP94= Received: by 10.114.178.1 with SMTP id a1mr2032564waf.1183075598150; Thu, 28 Jun 2007 17:06:38 -0700 (PDT) Received: from michelle.cdnetworks.co.kr ( [211.53.35.84]) by mx.google.com with ESMTP id n38sm12766368wag.2007.06.28.17.06.35 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 28 Jun 2007 17:06:36 -0700 (PDT) Received: from michelle.cdnetworks.co.kr (localhost.cdnetworks.co.kr [127.0.0.1]) by michelle.cdnetworks.co.kr (8.13.5/8.13.5) with ESMTP id l5T06W6C053110 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 29 Jun 2007 09:06:32 +0900 (KST) (envelope-from pyunyh@gmail.com) Received: (from yongari@localhost) by michelle.cdnetworks.co.kr (8.13.5/8.13.5/Submit) id l5T06UiM053109; Fri, 29 Jun 2007 09:06:30 +0900 (KST) (envelope-from pyunyh@gmail.com) Date: Fri, 29 Jun 2007 09:06:30 +0900 From: Pyun YongHyeon To: Max Laier Message-ID: <20070629000630.GA52912@cdnetworks.co.kr> References: <20070528224225.GC40678@registro.br> <200706282134.26140.max@love2party.net> <009f01c7b9bc$b7a3bd20$c40a0a0a@chepkov.lan> <200706282256.10397.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: <200706282256.10397.max@love2party.net> User-Agent: Mutt/1.4.2.1i Cc: Hugo Koji Kobayashi , freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyunyh@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 00:30:51 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote: > [ Please don't top post, fixed ] > > On Thursday 28 June 2007, Vadym Chepkov wrote: > > From: "Max Laier" , Thursday, June 28, 2007 3:34 PM > > > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > > > > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > > > > Just to confirm I'm testing the right > > > > > cases, my setup looks like: > > > > > > > > > > Host1 Host2 Host3 > > > > > > > > > > netsend -> pf scrub -> pf scrub -> netreceive > > > > > > > > I'm not sure I understood your setup. Why there are 3 hosts? > > > > > > In order to test scrub on forward and receiver at the same time (but > > > taking Host2 out of the stream doesn't change the result). > > > > > > > I think a query should be sth like this: > > > > > > > > Client[netsend->pf scrub] -> Internet -> DNS server > > > > > > > > And the response should be: > > > > > > > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > > > > > > > Everthing works as expected with various UDP payloads > MTU. > > > > > > > > Are you saying that you're able to receive responses to the > > > > following dig command when it's run from a client machine running > > > > pf scrub? > > > > > > > > dig @a.ns.se se dnskey +dnssec +bufsize=4500 > > > > > > > > This query is supposed to receive a DNS answer of more than 4KB. > > > > > > See the attached script I did just now. > > > > > > The only thing common about your setup seems to be the bge(4) NIC. > > > Can you try disabling hardware checksumming (ifconfig -txcsum > > > -rxcsum)? My test is over a hardware checksumming fxp(4) card, > > > though. > > > > Yes, this eliminated the issue. Bug in bge driver? > > Kind of - the driver claims to have done UDP checksum testing on the > fragment (which is impossible). The attached patch should fix the issue > for bge(4) and any other similar NIC. > I guess bge(4) has Rx checksum offload bug on fragmented UDP datagrams. Since other hardwares with checksum offload capability does not show this issue, it could be related with UDP pseudo header calculation. How about disabling UDP pseudo header calculation? I don't have bge(4) hardwares so the patch is just guess work. -- Regards, Pyun YongHyeon --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="bge.patch" Index: if_bge.c =================================================================== RCS file: /home/ncvs/src/sys/dev/bge/if_bge.c,v retrieving revision 1.197 diff -u -r1.197 if_bge.c --- if_bge.c 4 Jun 2007 18:25:03 -0000 1.197 +++ if_bge.c 29 Jun 2007 00:06:13 -0000 @@ -1254,7 +1254,7 @@ */ CSR_WRITE_4(sc, BGE_MODE_CTL, BGE_DMA_SWAP_OPTIONS | BGE_MODECTL_MAC_ATTN_INTR | BGE_MODECTL_HOST_SEND_BDS | - BGE_MODECTL_TX_NO_PHDR_CSUM); + BGE_MODECTL_TX_NO_PHDR_CSUM | BGE_MODECTL_RX_NO_PHDR_CSUM); /* * Tell the firmware the driver is running @@ -2988,8 +2988,7 @@ m->m_pkthdr.len >= ETHER_MIN_NOPAD) { m->m_pkthdr.csum_data = cur_rx->bge_tcp_udp_csum; - m->m_pkthdr.csum_flags |= - CSUM_DATA_VALID | CSUM_PSEUDO_HDR; + m->m_pkthdr.csum_flags |= CSUM_DATA_VALID; } } --PEIAKu/WMn1b1Hv9-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 12:29:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DE6F16A400 for ; Fri, 29 Jun 2007 12:29:32 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id A889F13C447 for ; Fri, 29 Jun 2007 12:29:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.180.189] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1I4FbN3DGi-0004Jb; Fri, 29 Jun 2007 14:29:30 +0200 From: Max Laier Organization: FreeBSD To: pyunyh@gmail.com Date: Fri, 29 Jun 2007 14:31:29 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <200706282256.10397.max@love2party.net> <20070629000630.GA52912@cdnetworks.co.kr> In-Reply-To: <20070629000630.GA52912@cdnetworks.co.kr> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart39438829.3daMIfHbTA"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706291431.37159.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18shELjd0NbpcbsAJbaRyXLx2H3By8orCMN0Ci 5TGE4EEMLpCn2knWyiA63iKk2mzjQPxhwWNvtj6wHpYm8OZor/ HxXPh4Xe89urqTrnPhKmlv/TF67kvjHuFQUKIMrKpY= Cc: Hugo Koji Kobayashi , freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 12:29:32 -0000 --nextPart39438829.3daMIfHbTA Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 29 June 2007, Pyun YongHyeon wrote: > On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote: > > [ Please don't top post, fixed ] > > > > On Thursday 28 June 2007, Vadym Chepkov wrote: > > > From: "Max Laier" , Thursday, June 28, 2007 > > > 3:34 PM > > > > > > > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > > > > > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > > > > > Just to confirm I'm testing the right > > > > > > cases, my setup looks like: > > > > > > > > > > > > Host1 Host2 Host3 > > > > > > > > > > > > netsend -> pf scrub -> pf scrub -> netreceive > > > > > > > > > > I'm not sure I understood your setup. Why there are 3 hosts? > > > > > > > > In order to test scrub on forward and receiver at the same time > > > > (but taking Host2 out of the stream doesn't change the result). > > > > > > > > > I think a query should be sth like this: > > > > > > > > > > Client[netsend->pf scrub] -> Internet -> DNS server > > > > > > > > > > And the response should be: > > > > > > > > > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > > > > > > > > > Everthing works as expected with various UDP payloads > MTU. > > > > > > > > > > Are you saying that you're able to receive responses to the > > > > > following dig command when it's run from a client machine > > > > > running pf scrub? > > > > > > > > > > dig @a.ns.se se dnskey +dnssec +bufsize=3D4500 > > > > > > > > > > This query is supposed to receive a DNS answer of more than > > > > > 4KB. > > > > > > > > See the attached script I did just now. > > > > > > > > The only thing common about your setup seems to be the bge(4) > > > > NIC. Can you try disabling hardware checksumming (ifconfig > > > > -txcsum -rxcsum)? My test is over a hardware checksumming > > > > fxp(4) card, though. > > > > > > Yes, this eliminated the issue. Bug in bge driver? > > > > Kind of - the driver claims to have done UDP checksum testing on the > > fragment (which is impossible). The attached patch should fix the > > issue for bge(4) and any other similar NIC. > > I guess bge(4) has Rx checksum offload bug on fragmented UDP > datagrams. Since other hardwares with checksum offload capability > does not show this issue, it could be related with UDP pseudo header > calculation. How about disabling UDP pseudo header calculation? > > I don't have bge(4) hardwares so the patch is just guess work. In fact it doesn't seem broken at all, we would just have to do something=20 along the lines of ip_input.c::ip_reass() (line 1001 ff): for (q =3D nq; q !=3D NULL; q =3D nq) { nq =3D q->m_nextpkt; q->m_nextpkt =3D NULL; m->m_pkthdr.csum_flags &=3D q->m_pkthdr.csum_flags; m->m_pkthdr.csum_data +=3D q->m_pkthdr.csum_data; m_cat(m, q); } /* * In order to do checksumming faster we do 'end-around carry' here * (and not in for{} loop), though it implies we are not going to * reassemble more than 64k fragments. */ m->m_pkthdr.csum_data =3D (m->m_pkthdr.csum_data & 0xffff) + (m->m_pkthdr.csum_data >> 16); Have to ponder a bit, if this is easily possible in pf's reassembly. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart39438829.3daMIfHbTA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGhPupXyyEoT62BG0RAjhTAJ0Zj/SPl9/fgaGZ36+7fEZbzft3vACdH8Qn 3l5UUFXeZPmfcW5indYZ7LU= =eR+S -----END PGP SIGNATURE----- --nextPart39438829.3daMIfHbTA-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 13:03:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1BB9F16A400 for ; Fri, 29 Jun 2007 13:03:32 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id A317913C465 for ; Fri, 29 Jun 2007 13:03:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.180.189] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1I4G7m0mkC-0004FA; Fri, 29 Jun 2007 15:03:28 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 29 Jun 2007 15:04:57 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <20070629000630.GA52912@cdnetworks.co.kr> <200706291431.37159.max@love2party.net> In-Reply-To: <200706291431.37159.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1491564.vFizXhlHIe"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706291505.05141.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19ggh+mN4Io5pstwO8d/B/vtZplAux11aOiaeb +v0Pqo3OqG2LIPRlCv5nZzhv4T+JY5thWuoaV4raS+ZDCjQ2Bf EmsO1JNXm9v2GE0U6aHK+knf171SHMnJk2dMnfjkQE= Cc: Hugo Koji Kobayashi Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 13:03:32 -0000 --nextPart1491564.vFizXhlHIe Content-Type: multipart/mixed; boundary="Boundary-01=_7NQhGr+slY9DBHV" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_7NQhGr+slY9DBHV Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 29 June 2007, Max Laier wrote: > On Friday 29 June 2007, Pyun YongHyeon wrote: > > On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote: > > > > > The only thing common about your setup seems to be the bge(4) > > > > > NIC. Can you try disabling hardware checksumming (ifconfig > > > > > -txcsum -rxcsum)? My test is over a hardware checksumming > > > > > fxp(4) card, though. > > > > > > > > Yes, this eliminated the issue. Bug in bge driver? > > > > > > Kind of - the driver claims to have done UDP checksum testing on > > > the fragment (which is impossible). The attached patch should fix > > > the issue for bge(4) and any other similar NIC. > > > > I guess bge(4) has Rx checksum offload bug on fragmented UDP > > datagrams. Since other hardwares with checksum offload capability > > does not show this issue, it could be related with UDP pseudo header > > calculation. How about disabling UDP pseudo header calculation? > > > > I don't have bge(4) hardwares so the patch is just guess work. > > In fact it doesn't seem broken at all, we would just have to do > something along the lines of ip_input.c::ip_reass() (line 1001 ff): >... > Have to ponder a bit, if this is easily possible in pf's reassembly. Works - see attached. Does anyone know of a tool to generate nasty fragments to really test=20 this? Reordered / overlapping / etc. ? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_7NQhGr+slY9DBHV Content-Type: text/x-diff; charset="iso-8859-6"; name="frag_csum.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="frag_csum.diff" =3D=3D=3D=3D //depot/user/mlaier/pfsrc/sys/contrib/pf/net/pf_norm.c#9 - /ho= me/mlaier/devel/FreeBSD/p4/pfsrc/sys/contrib/pf/net/pf_norm.c =3D=3D=3D=3D =2D-- /tmp/tmp.1610.37 2007-06-29 15:01:49.552518013 +0200 +++ /home/mlaier/devel/FreeBSD/p4/pfsrc/sys/contrib/pf/net/pf_norm.c 2007-0= 6-29 14:50:37.299015057 +0200 @@ -568,8 +568,22 @@ m2 =3D frent->fr_m; pool_put(&pf_frent_pl, frent); pf_nfrents--; +#ifdef __FreeBSD__ + DPFPRINTF(("csum: 0x%x 0x%x\n", m->m_pkthdr.csum_flags, + m->m_pkthdr.csum_data)); + m->m_pkthdr.csum_flags &=3D m2->m_pkthdr.csum_flags; + m->m_pkthdr.csum_data +=3D m2->m_pkthdr.csum_data; +#endif m_cat(m, m2); } +#ifdef __FreeBSD__ + DPFPRINTF(("fcsum: 0x%x 0x%x\n", m->m_pkthdr.csum_flags, + m->m_pkthdr.csum_data)); + m->m_pkthdr.csum_data =3D + (m->m_pkthdr.csum_data & 0xffff) + (m->m_pkthdr.csum_data >> 16); + DPFPRINTF(("fcsum: 0x%x 0x%x\n", m->m_pkthdr.csum_flags, + m->m_pkthdr.csum_data)); +#endif =20 ip->ip_src =3D (*frag)->fr_src; ip->ip_dst =3D (*frag)->fr_dst; --Boundary-01=_7NQhGr+slY9DBHV-- --nextPart1491564.vFizXhlHIe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGhQOBXyyEoT62BG0RAn2KAJ91ZmsYT/BFkrWqbkmDjuF3Q9VyxgCfRS2S Wm9RSilpEWGLPHldnc7qyAA= =udjb -----END PGP SIGNATURE----- --nextPart1491564.vFizXhlHIe-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 13:31:31 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D231C16A421 for ; Fri, 29 Jun 2007 13:31:31 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 9912013C44C for ; Fri, 29 Jun 2007 13:31:31 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 65C77267F92 for ; Fri, 29 Jun 2007 15:02:45 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id 9mNL3lDRsZb6 for ; Fri, 29 Jun 2007 15:02:05 +0200 (CEST) Received: from wm.argosnet.com (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 04800267E12 for ; Fri, 29 Jun 2007 15:02:05 +0200 (CEST) Received: from 57.250.229.136 (SquirrelMail authenticated user llevier) by wm.argosnet.com with HTTP; Fri, 29 Jun 2007 15:02:05 +0200 (CEST) Message-ID: <40497.57.250.229.136.1183122125.squirrel@wm.argosnet.com> Date: Fri, 29 Jun 2007 15:02:05 +0200 (CEST) From: "Laurent LEVIER" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: authpf method with a HTTP Server? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 13:31:31 -0000 Hi List, I just subscribed to the list because I would like to create something more flexible to pass through pf then authpf. As a summ, when you connect to an WiFi AP, you get an @IP address. Then you launch your favorite browser. Immediately, you get an authentication page. There you give you credentials and from this moment you can access Internet. I would like to do the same thing. Does someone knows if authpf principle was ported on HTTP? Of course, maybe the session principle could not be kept except if browser refreshed periodicly. But at least we could get some mecanisms to allow passthru for newbies using knowning IE. If nothing exists, I'll try to build a such module for everyone. Anyways, any help appreciated. Thanks in advance Brgrds From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 15:14:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8B83D16A4CF for ; Fri, 29 Jun 2007 15:14:29 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 508AF13C455 for ; Fri, 29 Jun 2007 15:14:29 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 7226B267E12; Fri, 29 Jun 2007 17:14:29 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id uMHIySvcPK+m; Fri, 29 Jun 2007 17:13:50 +0200 (CEST) Received: from wm.argosnet.com (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 59C4B267FD2; Fri, 29 Jun 2007 17:13:50 +0200 (CEST) Received: from 57.250.229.136 (SquirrelMail authenticated user llevier) by wm.argosnet.com with HTTP; Fri, 29 Jun 2007 17:13:50 +0200 (CEST) Message-ID: <49399.57.250.229.136.1183130030.squirrel@wm.argosnet.com> In-Reply-To: <46851030.2030409@gmail.com> References: <40497.57.250.229.136.1183122125.squirrel@wm.argosnet.com> <46851030.2030409@gmail.com> Date: Fri, 29 Jun 2007 17:13:50 +0200 (CEST) From: "Laurent LEVIER" To: "Huzeyfe ONAL" User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: authpf method with a HTTP Server? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 15:14:29 -0000 > Hi, Hi Huzeyfe! > > why don't you use captive portal ? What do you mean? > > Laurent LEVIER wrote: >> Hi List, >> >> I just subscribed to the list because I would like to create something >> more flexible to pass through pf then authpf. >> >> As a summ, when you connect to an WiFi AP, you get an @IP address. >> Then you launch your favorite browser. >> Immediately, you get an authentication page. >> There you give you credentials and from this moment you can access >> Internet. >> >> I would like to do the same thing. >> >> Does someone knows if authpf principle was ported on HTTP? >> Of course, maybe the session principle could not be kept except if >> browser >> refreshed periodicly. >> But at least we could get some mecanisms to allow passthru for newbies >> using knowning IE. >> >> If nothing exists, I'll try to build a such module for everyone. >> >> Anyways, any help appreciated. >> >> Thanks in advance >> >> Brgrds >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 16:26:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A10FB16A41F for ; Fri, 29 Jun 2007 16:26:03 +0000 (UTC) (envelope-from huzeyfe.onal@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.183]) by mx1.freebsd.org (Postfix) with ESMTP id 791D013C45E for ; Fri, 29 Jun 2007 16:26:03 +0000 (UTC) (envelope-from huzeyfe.onal@gmail.com) Received: by wa-out-1112.google.com with SMTP id j37so1250566waf for ; Fri, 29 Jun 2007 09:26:03 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=VyFLZQSlbGNrP0q3n9P4jnFA/L2XUZv+I5tyRHUfjw94CaI7DzIegTreWmq1fsuqSkRAQ3hE1smDfrNzV3KPsfWD1Yv2HwUT0nPvwFtZI2Er+icUX9NlRtLNjHDDJ2uflm1P3b3AI2sZL3A3n2SOxRE2Dqnm+WmYZqgQSzH+tdw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=pwP96n4c+ASCLJj2bzNu06sskPCIHpWNFY7MnSEFmg/7XOAtrzzTGKuQPDBA16oF9r9YLFFx0rbRogMzdYCCjn9/S/dkqZTd01EX7P4W1yUl8c984ByXykqmryHkiqpbU6VCEKL2pIpQOq3MG3AuDpdGaWCTxqBkzozOGAgohm8= Received: by 10.114.168.1 with SMTP id q1mr2716357wae.1183132713629; Fri, 29 Jun 2007 08:58:33 -0700 (PDT) Received: by 10.114.153.8 with HTTP; Fri, 29 Jun 2007 08:58:33 -0700 (PDT) Message-ID: Date: Fri, 29 Jun 2007 18:58:33 +0300 From: "Huzeyfe Onal" To: "Laurent LEVIER" In-Reply-To: <49399.57.250.229.136.1183130030.squirrel@wm.argosnet.com> MIME-Version: 1.0 References: <40497.57.250.229.136.1183122125.squirrel@wm.argosnet.com> <46851030.2030409@gmail.com> <49399.57.250.229.136.1183130030.squirrel@wm.argosnet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: authpf method with a HTTP Server? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 16:26:03 -0000 hi, what you are trying to achieve is very is easy with using captive portal. But i think you want to write web interface for authpf. There was some discussion about authpf web interface in 2004[1] which gives you an idea about it's feasible. [1] http://www.monkey.org/openbsd/archive/misc/0408/msg01567.html On 6/29/07, Laurent LEVIER wrote: > > > Hi, > Hi Huzeyfe! > > > > why don't you use captive portal ? > What do you mean? > > > > > > Laurent LEVIER wrote: > >> Hi List, > >> > >> I just subscribed to the list because I would like to create something > >> more flexible to pass through pf then authpf. > >> > >> As a summ, when you connect to an WiFi AP, you get an @IP address. > >> Then you launch your favorite browser. > >> Immediately, you get an authentication page. > >> There you give you credentials and from this moment you can access > >> Internet. > >> > >> I would like to do the same thing. > >> > >> Does someone knows if authpf principle was ported on HTTP? > >> Of course, maybe the session principle could not be kept except if > >> browser > >> refreshed periodicly. > >> But at least we could get some mecanisms to allow passthru for newbies > >> using knowning IE. > >> > >> If nothing exists, I'll try to build a such module for everyone. > >> > >> Anyways, any help appreciated. > >> > >> Thanks in advance > >> > >> Brgrds > >> > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > >> > > > > > From owner-freebsd-pf@FreeBSD.ORG Fri Jun 29 16:43:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4A7D16A468 for ; Fri, 29 Jun 2007 16:43:43 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 5721913C4B7 for ; Fri, 29 Jun 2007 16:43:43 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id B65B1267E1F; Fri, 29 Jun 2007 18:43:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id rdp+qudF8X7T; Fri, 29 Jun 2007 18:43:10 +0200 (CEST) Received: from Osgiliath.argosnet.com (tirion.argosnet.com [82.224.1.141]) by mx.levier.org (Postfix) with ESMTP id B3A97267E1D; Fri, 29 Jun 2007 18:43:09 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 29 Jun 2007 18:43:06 +0200 To: "Huzeyfe Onal" From: Laurent LEVIER In-Reply-To: References: <40497.57.250.229.136.1183122125.squirrel@wm.argosnet.com> <46851030.2030409@gmail.com> <49399.57.250.229.136.1183130030.squirrel@wm.argosnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20070629164309.B3A97267E1D@mx.levier.org> Cc: freebsd-pf@freebsd.org Subject: Re: authpf method with a HTTP Server? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 16:43:43 -0000 Hi At 17:58 29/06/2007, Huzeyfe Onal wrote: >what you are trying to achieve is very is easy with using captive >portal. But i think you want to write web interface for authpf. >There was some discussion about authpf web interface in >2004[1] which gives you an idea about it's feasible. I am not familiar with captive portals. I used WiFi term, this does not reflect the real full need. The idea is to authenticate users passing the FW not only over a WiFi link. So authenticating users when they build their tunnel, for example, is too restrictive. To me, it is either the spirit of a SSO able to authenticate only once the user so he can build his tunnel, pass a transparent proxy and pass FW rules, or the same as a captive portal, but also able to work over basic wired connectivity. As a summ, I dont intend to prevent access to AP, but directly control only the passthru of the Firewall with a transparent proxy. Not sure a captive portal can do that. I'm digging in parallel to learn more about this principle. Thanks Brgrds Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM From owner-freebsd-pf@FreeBSD.ORG Sat Jun 30 19:00:30 2007 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D3A316A469 for ; Sat, 30 Jun 2007 19:00:30 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.freebsd.org (Postfix) with ESMTP id 298E013C457 for ; Sat, 30 Jun 2007 19:00:30 +0000 (UTC) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 5545CB835; Sat, 30 Jun 2007 20:29:12 +0200 (CEST) Date: Sat, 30 Jun 2007 20:29:12 +0200 From: Frank Steinborn To: freebsd-pf@FreeBSD.org Mail-Followup-To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20070630182912.5545CB835@shodan.nognu.de> Cc: Subject: pf won't start because tun0 doesn't exist yet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jun 2007 19:00:30 -0000 Hi, I'm going to set up a FreeBSD-router running pf. I have rules in pf.conf containing rules with 'tun0'. Here is the problem: When booting the machine, pf won't load the rules because tun0 doesn't exist at this time. Of course I could easyilly workaround this, but I wonder if there is a more elagant or even official way on this issue? TIA, Frank From owner-freebsd-pf@FreeBSD.ORG Sat Jun 30 19:03:58 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C239A16A41F for ; Sat, 30 Jun 2007 19:03:58 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 5920313C43E for ; Sat, 30 Jun 2007 19:03:58 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.186.29] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1I4iEf1i2g-0004DG; Sat, 30 Jun 2007 21:03:57 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 30 Jun 2007 21:05:53 +0200 User-Agent: KMail/1.9.6 References: <20070630182912.5545CB835@shodan.nognu.de> In-Reply-To: <20070630182912.5545CB835@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1493658.YTYodrCFii"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706302106.02205.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+TNcVtkKAtIrVL0aRMcLIQdbLJXf6cUdqEc/3 EL63tfj1ZJQeNTzDIfuXTToe0hVcVFkJwDiRzUGc+YLU+9L/0F cEM3cfAFW5bzxDz91qlHldbEPK042Hd76q4Fuy23f0= Cc: Subject: Re: pf won't start because tun0 doesn't exist yet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jun 2007 19:03:58 -0000 --nextPart1493658.YTYodrCFii Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 30 June 2007, Frank Steinborn wrote: > I'm going to set up a FreeBSD-router running pf. I have rules in > pf.conf containing rules with 'tun0'. Here is the problem: > > When booting the machine, pf won't load the rules because tun0 doesn't > exist at this time. Of course I could easyilly workaround this, but I > wonder if there is a more elagant or even official way on this issue? This is a FAQ - search the archives. In short: If you need ALTQ on tun0 the only workaround is ppp.linkup (or=20 similar). loginterface is unnecessary since pfctl -vvvsI -i tun0. =20 Addresses are written "(tun0)" not "tun0". =2D-=20 =46reeBSD Status reports due: 07/07/07 :-) /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1493658.YTYodrCFii Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGhqmaXyyEoT62BG0RAu6GAJ4idngX98wuuen/ufACGgbnPE9z5wCcChxJ 5fKCxZe+0tDX95Ku8pn9e90= =hZvZ -----END PGP SIGNATURE----- --nextPart1493658.YTYodrCFii--