Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 8 Jan 2014 20:48:48 +0100
From:      =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me>
To:        Rui Paulo <rpaulo@freebsd.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pf and fragmented packets
Message-ID:  <CA%2Bq%2BTcow%2BqRABG5omyWKE85yNEeqanB0SN1Wqvjay3hZoPfEAw@mail.gmail.com>
In-Reply-To: <B1B3E8FC-06C4-4E2B-9E12-79BA0F265630@FreeBSD.org>
References:  <B1B3E8FC-06C4-4E2B-9E12-79BA0F265630@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Dec 28, 2013 at 9:39 AM, Rui Paulo <rpaulo@freebsd.org> wrote:

>
> The second problem happens with large UDP packets.  If I change the rule
> "scrub on $ext_if all fragment reassemble" to "scrub on $ext_if all
> reassemble tcp fragment reassemble", I can see the UDP packets going out
> correctly translated, but if I send a large UDP packet (> MTU), pf sends
> the reassembled packet as a large packet which exceeds the MTU.
>

 Hi,

I've reached to reproduce this problem on 10.0-RC5, but only using pf in
"transparent mode" (on a bridge) under a Virtualbox lab:

VM1 ===== VM2(pf,scrub,bridge) ===== VM3


** VM2 configuration **

/etc/rc.conf:
ifconfig_em1="up"
ifconfig_em2="up"
pf_enable="yes"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em1 addm em2 up"

/etc/pf.conf:
set skip on lo0
scrub (automatically converted to "scrub all fragment reassemble")
pass (automatically converted to "pass all flags S/SA keep state")

** VM1 configuration **

/etc/rc.conf:
ifconfig_em1="inet 10.0.23.2/24"

** VM3 configuration **

/etc/rc.conf:
ifconfig_em2="inet 10.0.23.4/24"

Now, from VM1, I generate fragmented UDP traffic toward VM3 with netblast:
netblast 10.0.23.4 9090 1800 1

And I run tcpdump on VM2(firewall) on the ingress interface is correct:

20:44:09.150865 IP (tos 0x0, ttl 64, id 36516, offset 0, flags [+], proto
UDP (17), length 1500)
    10.0.23.2.15187 > 10.0.23.4.9090: UDP, length 1800
20:44:09.150936 IP (tos 0x0, ttl 64, id 36516, offset 1480, flags [none],
proto UDP (17), length 348)
    10.0.23.2 > 10.0.23.4: ip-proto-17

But on the egress interface of VM2(firewall) there is a problem:

20:45:26.591384 20:00:40:11:68:be > 45:00:05:dc:aa:4d, ethertype Unknown
(0x0a00), length 1500:
        0x0000:  1702 0a00 1704 28cf 2382 0710 6373 0000  ......(.#...cs..
        0x0010:  0004 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
(etc...)
20:45:26.591403 00:b9:40:11:8c:85 > 45:00:01:5c:aa:4d, ethertype Unknown
(0x0a00), length 348:
        0x0000:  1702 0a00 1704 0000 0000 0000 0000 0000  ................
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
(etc...

Regards,

Olivier

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcow%2BqRABG5omyWKE85yNEeqanB0SN1Wqvjay3hZoPfEAw>