From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 19:32:28 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1CBA16A421 for ; Thu, 28 Jun 2007 19:32:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 61CA713C480 for ; Thu, 28 Jun 2007 19:32:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.176.39] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1I3zj50To8-0006EQ; Thu, 28 Jun 2007 21:32:23 +0200 From: Max Laier Organization: FreeBSD To: Hugo Koji Kobayashi Date: Thu, 28 Jun 2007 21:34:18 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <200706281919.41777.max@love2party.net> <20070628180741.GA7323@registro.br> In-Reply-To: <20070628180741.GA7323@registro.br> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4081085.hRqvJ6Qa0i"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706282134.26140.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+YQW3voA+l8qfuZ7pFF1OlDs9fjqiIevCMqhu f7q7IvMYGjH+qbh/i5d0wQKmekJgnVIV6dhAgr2aU5myh4hbRr iHjkQPC7zA9yIugDZQ0T57yxDVlz4poEYPXShjsiYY= Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 19:32:29 -0000 --nextPart4081085.hRqvJ6Qa0i Content-Type: multipart/mixed; boundary="Boundary-01=_90AhGTvQx1MY4ib" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_90AhGTvQx1MY4ib Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > Just to confirm I'm testing the right > > cases, my setup looks like: > > > > Host1 Host2 Host3 > > > > netsend -> pf scrub -> pf scrub -> netreceive > > I'm not sure I understood your setup. Why there are 3 hosts? In order to test scrub on forward and receiver at the same time (but=20 taking Host2 out of the stream doesn't change the result). > I think a query should be sth like this: > > Client[netsend->pf scrub] -> Internet -> DNS server > > And the response should be: > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > Everthing works as expected with various UDP payloads > MTU. > > Are you saying that you're able to receive responses to the following > dig command when it's run from a client machine running pf scrub? > > dig @a.ns.se se dnskey +dnssec +bufsize=3D4500 > > This query is supposed to receive a DNS answer of more than 4KB. See the attached script I did just now. The only thing common about your setup seems to be the bge(4) NIC. Can=20 you try disabling hardware checksumming (ifconfig -txcsum -rxcsum)? My=20 test is over a hardware checksumming fxp(4) card, though. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_90AhGTvQx1MY4ib Content-Type: text/plain; charset="iso-8859-6"; name="udpfrag.col" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="udpfrag.col" Script started on Thu Jun 28 21:20:28 2007 21:20 amd64# dmesg > pre.dig 21:20 amd64# echo "scrub in" | pfctl -ef- pf enabled 21:20 amd64# dmesg > pre.dig 21:21 amd64# pfctl -sr scrub in all fragment reassemble 21:21 amd64# pfctl -xm debug level set to 'misc' 21:21 amd64# dig @a.ns.se se dnskey +dnssec +bufsize=4500 ; <<>> DiG 9.4.1 <<>> @a.ns.se se dnskey +dnssec +bufsize=4500 ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43979 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 10, ADDITIONAL: 24 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;se. IN DNSKEY ;; ANSWER SECTION: se. 3600 IN DNSKEY 257 3 5 AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe3Y 9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbbOTcM 8pwXlj0EiX3oDFVmjHO444gLkBOUKUf/mC7HvfwYH/Be22GnClrinKJp 1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt8lgnyTUHs 1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/buvF4qJCydui eHukuY3H4XMAcR+xia2nIUPvm/oyWR8BW/hWdzOvnSCThlHf3xiYleDb t/o1OTQ09A0= se. 3600 IN DNSKEY 257 3 5 AwEAAb6xRZHEf+PyF5dxEvz0BHEHbziu6iZaiNW/yjSaZcmrmZiRMF8F PppD+XuKSau0rgu4eBwYdpkEoMVR4FhI8frkuPHIue2LP1ETo+2hCrdr 60K1538yLvzbOhMxXt6knjPN+OlalMmCknadaofKga5FLKOPQs2C3nw6 AH4WUNGrchmDMVBwRwfZdQXYZTXesqULmGMK7mwjQGOxerRDQWrFv8Nh NnVV31PihaYBdQ1TJjvfGS/FYZJwv/BddiELiLeUnNWu3AOsRAshgOcD BOAPUvKJNEq6RHELFmvXOOe2d8H2yzv02EMQik6GwUm16DrSdmX+SWfe lQs+9ELFN6k= se. 3600 IN DNSKEY 256 3 5 AwEAAbhCVInOCVKWoaeWFmCHfO0SW4MAEWiM2MrbR6q1fclgAa04Lkqu c2Lp1xQ1ssO7rDYDLf8Uhe6EU6Xs56mRS5ZhHGiWwozrY4duxyAaYQUo d6LuH0u5Q0VRUs5Yv5hh9YvVxR1iclbQleg6NDVVeMQU4lFWOnHbP6Md 2SNWptVV se. 3600 IN DNSKEY 256 3 5 AwEAAcWT6tpmgKhM53EgomdSmbai1MRzj0bA6wWfmkFRU7wkNgKAP/Z+ 2Lc80W0EmNBwaT5mi2QDqKXCMXS4GgxNCNg5nOAgdcS2XqGYPFYNkETW iTtjnO3MPSZb4i77BEpAP2OtbazmRBAeYVNYV61X8o6X3H808b4mRIFF VBeMacsR se. 3600 IN DNSKEY 256 3 5 AwEAAc3n4vV7f6TbRjSpfADcIBn+MDqzuFUo+s3b85wC8Tp+d1EDlLPF /5GIR4Y3P+8u1OpPKuCCzurvfics/HiGQU3Jkv3wlFP5cZLBSpCiwazY 253uJwXpItS+liP6AK+kOOwsEWTYxG6vvBodm/ASTbqs2FqokFTPLW74 lTOp51a5 se. 3600 IN RRSIG DNSKEY 5 1 3600 20070704234724 20070628060616 55323 se. YXrv/m8r7cJgBXvI8RSGWnijl+P+5e+zrYeeIaBVKZkgAA3kt4+F16h7 hlEG/WBRR45lQUk+0A79hly/MkXQ11TgoJWd18t6YLDrkYkzL7Mu8XhU ohyTcXowVjICf8GjYwROofql2Gavb1ixsWu8HDj1V9PfOc5y7xdiPzFg Fnc= se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 6166 se. HAhEV9y1pe52qxK5kwkYQtGQr7uyJgfONWUbiY/j1sJLL4O9jP9TEP+d 5dNaPodc67IOChQ4kxqVDieqlHns7NsVA8yu2TaQkujS9jfp5fgewhlE 5NFEdBgsn1HZJXlAW+OtxqDYvNVien0072XNkGXpc5GtWpA2b6ky1aZ5 RAZHAoXO1gFa1qRdXlcsvLzdpe/SglFHCLCcfW3cSoVgRTfHGwQbncjg Qjg6ldDvZYpHYLZE/jMxh7BVzUxRugAx0PpGn4D3n/Y8dfUBTRU3f9El b+7NRyvSaFwXEx3OfPpAN4fmB0PUhWcuT02XPYL6zYYkW7b5Y5kr0mgf aoBasQ== se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 17686 se. nhpLK0Vt+CSH6GqIBbbNigrx2WivrH14tgXfAYhjMM5bnuTXHaYvmgJ9 1pjxgK8rAVJu2VOCapXyVonEK9hCUCsN7IjENgUdDrjwiWP7ECIU3zqa eI3bjpEEgp3ZLEuVrfARkvyv29quztcbiATLxLHjRtu6V4K7riCCch8B zVo7v8FyXbpCNf3u4ixNe6vpouAQbAUQeyGc+MIdzdhLfzcHFLbBtq1a YTTiOP6PtxVsCyUomuV9P0yOoM4pmpfTPR26Nu50E5yRxTAh83a2zckJ FlSyGYM3thCZwlLzjQyNPcARb/LU2HgX+2/Cqpymg3IVeLvMV2C5i0Q0 B0RYgQ== ;; AUTHORITY SECTION: se. 172800 IN NS f.ns.se. se. 172800 IN NS g.ns.se. se. 172800 IN NS h.ns.se. se. 172800 IN NS i.ns.se. se. 172800 IN NS a.ns.se. se. 172800 IN NS b.ns.se. se. 172800 IN NS c.ns.se. se. 172800 IN NS d.ns.se. se. 172800 IN NS e.ns.se. se. 172800 IN RRSIG NS 5 1 172800 20070704040612 20070628160615 55323 se. Jkngk4Hw3xbuo0sJynmKBhcFWJdKAgd4XoZLpVc9Vi0NKI7IUdqUY7VN +bGNpGo8oqNN7GkBo46Pk8puIuuyGhmXsaeTGnAC+yreN0T9beJsr+C4 hnIjvIDI926qTj/DE3L7P7fuFrUBCkQWgarKNOT2UZNtTE7+wHP2HiK1 8T4= ;; ADDITIONAL SECTION: a.ns.se. 172800 IN A 192.36.144.107 a.ns.se. 172800 IN AAAA 2001:698:9:301::53 b.ns.se. 172800 IN A 192.36.133.107 c.ns.se. 172800 IN A 192.36.135.107 d.ns.se. 172800 IN A 81.228.8.16 e.ns.se. 172800 IN A 81.228.10.57 f.ns.se. 172800 IN A 192.71.53.53 f.ns.se. 172800 IN AAAA 2a01:280:1:53::53 g.ns.se. 172800 IN A 130.239.5.114 g.ns.se. 172800 IN AAAA 2001:6b0:e:3::1 h.ns.se. 172800 IN A 199.7.49.30 i.ns.se. 172800 IN A 194.146.106.22 a.ns.se. 172800 IN RRSIG A 5 3 172800 20070705081735 20070628160615 55323 se. SSHbBWugXQUNAvh4t3xMgFR0ii7GliFahJNLHNuoZl+RTpgLgBLi7dIx JpxswqXpoiHD9r84TJcpw2RSsK4BHmL009vFual17wQ8kzbTHn7hlLce lJREMWnRUeNDAW1x6VkDlXnqqToftUfXs6U6NhxCUv0rpPuu24qR67lH Wik= a.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704094109 20070628160615 55323 se. Ow9XU/2UbAfqIJ8LFXkdPVPENA7ueLHpa7jai7IjqnpzlPwNDIKbnSKM CQC/fvC55RZQpw1kIU0FsLeyxEukChb7suM242tjjTj1a/aT8mW5aEBh /gQfRHSTAcDuoV4NCn2w85U3OU4FSrr7+z92EM0myZEUyKyJ+ioU31tM cZc= b.ns.se. 172800 IN RRSIG A 5 3 172800 20070704185325 20070628160615 55323 se. h3dnpUyB9gL3ilLJKFFuednhLynv3Qv92Nd3gqD6ryEMqtKlhgaIDYve umH+BnmaR84IS5wy92uwgodkx8l1OGTG3ygsKV8TzSbc2MHDE1M2hwnx 99tbJhfB1kYJrFm0nCeER7SRmmhfrEjbIbdOCjZebufbEU6Yb67pGYmt BBg= c.ns.se. 172800 IN RRSIG A 5 3 172800 20070705123252 20070628160615 55323 se. JgcchMFmx+xfIcne8qlpd4VutOmfooG+jGKDEMpTWoViK6olMp8pIMWh QwwO8Zl5Y1c3eE21Y2gUx10hJb40i6uVnLnFOnVhXewhch6B1SDk7Rac p4fZXuNqG/bCgaWYoorvayhgO42trU+Ci9ini2EciB0JXljg7ABp6v6i 9k0= d.ns.se. 172800 IN RRSIG A 5 3 172800 20070705045153 20070628160615 55323 se. NFHM/OXoEzci4Qt62vIYW9YxGzg4ImooHqgd/FPqmTzsRaT1lq9zGZT0 9z7iOeDwKzqKqdbBPZ6APX6rJj+KnPYe5ROcM2wKYlZFcbJ9OvmJszAr OHaB8pBNI0mP9ZPVV5mRsX/zcaR7gj9FGoMamxLVd9uJgTB33mC2lKA7 21k= e.ns.se. 172800 IN RRSIG A 5 3 172800 20070705050847 20070628160615 55323 se. E5bM0781LqP8mYsvs0c1lQ3Y7rcQYv8clrBj8aHuOXg6y+20DL0CgETO WwviHAqZOU4X6vmz3bq2n0s7ipQblvYXDLCZKq5kIDfEiBUyKMlEqie1 YOckxIdvACaZ1kBlk9+wl9q8CtJB1K72QtLlPS+gyhYlTq9CXGENjHCP S7U= f.ns.se. 172800 IN RRSIG A 5 3 172800 20070704161415 20070628160615 55323 se. lncq+1XHqXhKA7sdTPmjrmSfGELRUTBSIHMQXwWTZlEVz32gvQqAeARt JgKbVpQWgRMmWfclS/oObEO+nJ9Y55ZX1q+f0v/43Sl1fhRu0gVmKxp6 unncN33igSj0gyoasN+nxNx3dWCnEOvTnVlTaaETzDkHrFa7tRGqSQZM 9Ok= f.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704203230 20070628160615 55323 se. k0FH9krK5wBN6ZUXlZcz7kQFyNRRXIluWbotwtSs+NnFOs+A+7vb5Jr1 5UejzTqbIco3hMfqepFoJOeHnINpq4DeDc707mLqTB2lC5Nai/sN8EDz qN4JV6twWUYibnmfcU5EZgafCVex7sOrstmPHMTIIIwVFAnS3LhP86LG agE= g.ns.se. 172800 IN RRSIG A 5 3 172800 20070705154614 20070628160615 55323 se. Yix5IF/G30/nYKCLMb+nhQCD8m4FhBR9AzSdTeccTJH65K3nG9GKkbF6 gXqkR/AuZCFuBdEsxrbDqJJy45yHRbCOLy5OYT7B7QPUjollEW1CvPZZ slnyOnRGsSyrKZuxW0/glkHgO7gEz1f10uknoCyNXMb3mD/Pe0XN2hn4 fDI= g.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704162506 20070628160615 55323 se. ae2vkkPwOHFUCMFICpIJNK2Vpg3yOQIuivKkYCPs7tC/0D7erpLcG1hr E4D92FY7zsNk4agO8Kq1clV5Nl+zKAtbypRADSTGAELHtLl74s6/MFdY xUcp/mHqI9pSc50lysjS3QhVhVji8po8On7TY1IoWgICSncSd1A20fWs w00= h.ns.se. 172800 IN RRSIG A 5 3 172800 20070704141412 20070628160615 55323 se. joAM/dvlx/1LrPdZXpR9er9AUScuTNelbpDz7aig/O4+ZHSS3cFyNEVc aD8jumAwrDA/OGVfutvw6xsR+Bl7RO+RVfDHQOGlB8Ws1McpBtwhtET4 etM0uTpC88mvhRLLPY3fnhhNkum6vGZKOv/aKyz7RStIBtsU7mn0OL2v QlA= ;; Query time: 59 msec ;; SERVER: 192.36.144.107#53(192.36.144.107) ;; WHEN: Thu Jun 28 21:21:57 2007 ;; MSG SIZE rcvd: 4088 21:21 amd64# dmesg > post.dig 21:22 amd64# diff pre.dig post.dig 269a270,274 > pf_normalize_ip: reass frag 48998 @ 0-1480 > pf_normalize_ip: reass frag 48998 @ 1480-2960 > pf_normalize_ip: reass frag 48998 @ 2960-4096 > pf_reassemble: 4096 < 4096? > pf_reassemble: complete: 0xffffff00049c6e00(4116) 21:22 amd64# exit Script done on Thu Jun 28 21:22:05 2007 --Boundary-01=_90AhGTvQx1MY4ib-- --nextPart4081085.hRqvJ6Qa0i Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGhA1CXyyEoT62BG0RAm5YAJ0bU90WRxMFNsOQ2TPro6aiaIlgBQCfZ6Ss pF23Al3LmI81vqHNCj8MJhI= =YU9g -----END PGP SIGNATURE----- --nextPart4081085.hRqvJ6Qa0i--