From owner-freebsd-pf@FreeBSD.ORG Mon Dec 6 02:47:05 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A67DB16A4CE for ; Mon, 6 Dec 2004 02:47:05 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8F4743D48 for ; Mon, 6 Dec 2004 02:47:04 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB62jBAh045042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 6 Dec 2004 11:45:11 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB62l2Tu000909 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Dec 2004 11:47:02 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB62l0Jw000908; Mon, 6 Dec 2004 11:47:00 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Mon, 6 Dec 2004 11:47:00 +0900 From: Pyun YongHyeon To: gtg062h@mail.gatech.edu Message-ID: <20041206024700.GA744@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr> <7c8f27920412051617123672bf@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7c8f27920412051617123672bf@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 02:47:05 -0000 On Sun, Dec 05, 2004 at 07:17:05PM -0500, Josh Kayse wrote: [...] > > I managed to get your patch to apply to FreeBSD RELENG_5. > > I have a question about the bridge_fragment function though. Would > this prevent packets from linux NFS clients from working, the > fragmented ones with the DF flag set? Thanks for any information. > I guess this has nothing to do with bridge. AFAIK, linux is known to generate fragmented packets with DF bit set. Normally, scrub rule of pf drops the fragmented packet that was told not to framgent(i.e. DF bit set) You may need an additional option "no-df" to pass the packet in scrub rule. > I'll post the patch later if anyone wants it. It hasn't been Great! I believe, your patch would be quite useful to FreeBSD pf/ipf users. > thoroughly tested but is currently running on a bridge setup in my > test lab with my work machine behind it. > One note, don't be fooled by "netstat -m" output after patching your system. Its statistics were broken on 5.3R. For instance, on my P3 SMP: 19926 mbufs in use 4294938777/19136 mbuf clusters in use (current/max) ^^^^^^^^^^^^^^^^ 0/4/5040 sfbufs in use (current/peak/max) 4142247 KBytes allocated to network ^^^^^^^^^^^^^^ 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 270 calls to protocol drain routines > -josh > > -- > Joshua Kayse > Computer Engineering -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org