Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 14 Feb 2015 17:32:21 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 197648] ipfw reass ineffective after upgrade to 10.1
Message-ID:  <bug-197648-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197648

            Bug ID: 197648
           Summary: ipfw reass ineffective after upgrade to 10.1
           Product: Base System
           Version: 10.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: bsd@rdls.net

Just upgraded a bridging firewall from 10.0 to 10.1-RELEASE-p5. The first rule
is:
 reass all from any to any in

The only time I receive fragmented UDP packets is when my DNS server attempts
to resolve www.freebsd.org, as it returns large UDP packets which are
fragmented over my broadband connection:

17:09:54.182826 IP 81.5.134.122.49514 > 63.243.194.1.53: 36047 [1au] A?
wfe0.ysv.freebsd.org. (49)
17:09:54.202100 IP 63.243.194.1.53 > 81.5.134.122.49514: 36047*- 2/4/11 A
8.8.178.110, RRSIG (1424)

I added the reass rule in 10.0 and it's been working perfectly. I upgraded to
10.1-RELEASE-p5 and everything else works as expected except that
www.freebsd.org does not resolve.

I added:
 allow ip from any to any frag

...just after the check-state rule, and that fixed the problem (but only after
the reass rule was first deleted).

It seems that the reass rule is absorbing fragments but not passing them
perhaps. This bridging firewall only sees IPv4 traffic. Tcpdump shows the
response packet on the external interface and the bridge interface, but not the
internal interface.

A sanitised version of the rules are here:
http://rdls.net/dl/bridge/rc.firewall.local

uname -a:
 FreeBSD motoko.rdls.net 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27
08:55:07 UTC 2015    
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-197648-8>