From owner-freebsd-pf@FreeBSD.ORG Wed Jan 8 19:49:11 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8ECCDB02; Wed, 8 Jan 2014 19:49:11 +0000 (UTC) Received: from mail-ve0-x230.google.com (mail-ve0-x230.google.com [IPv6:2607:f8b0:400c:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 11AB91AD3; Wed, 8 Jan 2014 19:49:10 +0000 (UTC) Received: by mail-ve0-f176.google.com with SMTP id oz11so1662532veb.35 for ; Wed, 08 Jan 2014 11:49:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=sobz5WEoK2elAWTQEdKgnNWyE8QjD+gF9oJYbrimOyk=; b=KI7fsyl3qjYyJhSCreTAKK4/M0Pdmra6CA3g53TkIrOdkaJP9u/NOR2nkjV8rmLvSp PTNMeJWn+bzPjnbarEhqKm5iOaCtv3xzNi/Uix3cpQF0jtNWcMM7IPGL44VRgSv21gi3 SYo3bH5zGLMpyDs4usehelvpOqVIERHC/M+H4/RO9jZEnkjXDaZarU5KoumMwBBKZE5a d+L/XexgV1JjZ1sIbHqug5OXsfVAntjhTkdLW+9BLv5G03ZQI53MS6s4Sh2ia33q8X+Q 1ZfuBf1KwDFw8KcpedVhUyt8kR8m790cLZFIp9I4D0RRoYfSN1RuwOIodiP89ULTVrBD yncg== X-Received: by 10.58.100.244 with SMTP id fb20mr81721097veb.6.1389210548158; Wed, 08 Jan 2014 11:49:08 -0800 (PST) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.58.171.1 with HTTP; Wed, 8 Jan 2014 11:48:48 -0800 (PST) In-Reply-To: References: From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Wed, 8 Jan 2014 20:48:48 +0100 X-Google-Sender-Auth: uq22kL-HAUGh96UvpcW3XFIbO9c Message-ID: Subject: Re: pf and fragmented packets To: Rui Paulo Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jan 2014 19:49:11 -0000 On Sat, Dec 28, 2013 at 9:39 AM, Rui Paulo wrote: > > The second problem happens with large UDP packets. If I change the rule > "scrub on $ext_if all fragment reassemble" to "scrub on $ext_if all > reassemble tcp fragment reassemble", I can see the UDP packets going out > correctly translated, but if I send a large UDP packet (> MTU), pf sends > the reassembled packet as a large packet which exceeds the MTU. > Hi, I've reached to reproduce this problem on 10.0-RC5, but only using pf in "transparent mode" (on a bridge) under a Virtualbox lab: VM1 ===== VM2(pf,scrub,bridge) ===== VM3 ** VM2 configuration ** /etc/rc.conf: ifconfig_em1="up" ifconfig_em2="up" pf_enable="yes" cloned_interfaces="bridge0" ifconfig_bridge0="addm em1 addm em2 up" /etc/pf.conf: set skip on lo0 scrub (automatically converted to "scrub all fragment reassemble") pass (automatically converted to "pass all flags S/SA keep state") ** VM1 configuration ** /etc/rc.conf: ifconfig_em1="inet 10.0.23.2/24" ** VM3 configuration ** /etc/rc.conf: ifconfig_em2="inet 10.0.23.4/24" Now, from VM1, I generate fragmented UDP traffic toward VM3 with netblast: netblast 10.0.23.4 9090 1800 1 And I run tcpdump on VM2(firewall) on the ingress interface is correct: 20:44:09.150865 IP (tos 0x0, ttl 64, id 36516, offset 0, flags [+], proto UDP (17), length 1500) 10.0.23.2.15187 > 10.0.23.4.9090: UDP, length 1800 20:44:09.150936 IP (tos 0x0, ttl 64, id 36516, offset 1480, flags [none], proto UDP (17), length 348) 10.0.23.2 > 10.0.23.4: ip-proto-17 But on the egress interface of VM2(firewall) there is a problem: 20:45:26.591384 20:00:40:11:68:be > 45:00:05:dc:aa:4d, ethertype Unknown (0x0a00), length 1500: 0x0000: 1702 0a00 1704 28cf 2382 0710 6373 0000 ......(.#...cs.. 0x0010: 0004 0000 0000 0000 0000 0000 0000 0000 ................ 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ (etc...) 20:45:26.591403 00:b9:40:11:8c:85 > 45:00:01:5c:aa:4d, ethertype Unknown (0x0a00), length 348: 0x0000: 1702 0a00 1704 0000 0000 0000 0000 0000 ................ 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ (etc... Regards, Olivier