From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 19:44:37 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C139A16A421 for ; Thu, 28 Jun 2007 19:44:37 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 6EEE713C4C1 for ; Thu, 28 Jun 2007 19:44:37 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so157488anc for ; Thu, 28 Jun 2007 12:44:36 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=iwRsnwF1RMVWaVIzQhL2EoCkgAuaKbFc0m+3EwUI0BkIVC7bRH4Fsa7L8UWoJPFt3dxAKDabkQG/gvYdMxl8gvo8Z3XLKYZKwcBtZMGF8DiCuGPX4yWHmpeWzB74eOaKSqdvWiT3222+bgkdWGhsRbgoepFW1KtMLaNtyC8F+D8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=BMMgxB2W9lctgnHjfG6thdf7nAnPRO/IC/GS1Y+StAIT1GtvE0eYXbvKjVNn+Q5GJ6fl5rw4MS/B36xCo7IE55VVpt4DYA61cKWf65yCrLeJA4NKWfwh4asMTY3hx15fTJ83RTkbpnxlZrFt71HBg5LztpSgTLcSa2WYJF0R6jI= Received: by 10.100.14.19 with SMTP id 19mr1607508ann.1183059876693; Thu, 28 Jun 2007 12:44:36 -0700 (PDT) Received: from d600 ( [70.109.59.182]) by mx.google.com with ESMTP id c14sm13864201ana.2007.06.28.12.44.35 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Jun 2007 12:44:36 -0700 (PDT) Message-ID: <009f01c7b9bc$b7a3bd20$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Max Laier" , "Hugo Koji Kobayashi" References: <20070528224225.GC40678@registro.br> <200706281919.41777.max@love2party.net> <20070628180741.GA7323@registro.br> <200706282134.26140.max@love2party.net> Date: Thu, 28 Jun 2007 15:44:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-6"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 19:44:37 -0000 Yes, this eliminated the issue. Bug in bge driver? ----- Original Message ----- From: "Max Laier" To: "Hugo Koji Kobayashi" Cc: ; "Vadym Chepkov" Sent: Thursday, June 28, 2007 3:34 PM Subject: Re: udp fragmentation On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > Just to confirm I'm testing the right > > cases, my setup looks like: > > > > Host1 Host2 Host3 > > > > netsend -> pf scrub -> pf scrub -> netreceive > > I'm not sure I understood your setup. Why there are 3 hosts? In order to test scrub on forward and receiver at the same time (but taking Host2 out of the stream doesn't change the result). > I think a query should be sth like this: > > Client[netsend->pf scrub] -> Internet -> DNS server > > And the response should be: > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > Everthing works as expected with various UDP payloads > MTU. > > Are you saying that you're able to receive responses to the following > dig command when it's run from a client machine running pf scrub? > > dig @a.ns.se se dnskey +dnssec +bufsize=4500 > > This query is supposed to receive a DNS answer of more than 4KB. See the attached script I did just now. The only thing common about your setup seems to be the bge(4) NIC. Can you try disabling hardware checksumming (ifconfig -txcsum -rxcsum)? My test is over a hardware checksumming fxp(4) card, though. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------------------------------------------------------------------------- > Script started on Thu Jun 28 21:20:28 2007 > 21:20 amd64# dmesg > pre.dig > 21:20 amd64# echo "scrub in" | pfctl -ef- > pf enabled > 21:20 amd64# dmesg > pre.dig > 21:21 amd64# pfctl -sr > scrub in all fragment reassemble > 21:21 amd64# pfctl -xm > debug level set to 'misc' > 21:21 amd64# dig @a.ns.se se dnskey +dnssec +bufsize=4500 > > ; <<>> DiG 9.4.1 <<>> @a.ns.se se dnskey +dnssec +bufsize=4500 > ; (2 servers found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43979 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 10, ADDITIONAL: 24 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;se. IN DNSKEY > > ;; ANSWER SECTION: > se. 3600 IN DNSKEY 257 3 5 > AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe3Y > 9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbbOTcM > 8pwXlj0EiX3oDFVmjHO444gLkBOUKUf/mC7HvfwYH/Be22GnClrinKJp > 1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt8lgnyTUHs > 1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/buvF4qJCydui > eHukuY3H4XMAcR+xia2nIUPvm/oyWR8BW/hWdzOvnSCThlHf3xiYleDb t/o1OTQ09A0= > se. 3600 IN DNSKEY 257 3 5 > AwEAAb6xRZHEf+PyF5dxEvz0BHEHbziu6iZaiNW/yjSaZcmrmZiRMF8F > PppD+XuKSau0rgu4eBwYdpkEoMVR4FhI8frkuPHIue2LP1ETo+2hCrdr > 60K1538yLvzbOhMxXt6knjPN+OlalMmCknadaofKga5FLKOPQs2C3nw6 > AH4WUNGrchmDMVBwRwfZdQXYZTXesqULmGMK7mwjQGOxerRDQWrFv8Nh > NnVV31PihaYBdQ1TJjvfGS/FYZJwv/BddiELiLeUnNWu3AOsRAshgOcD > BOAPUvKJNEq6RHELFmvXOOe2d8H2yzv02EMQik6GwUm16DrSdmX+SWfe lQs+9ELFN6k= > se. 3600 IN DNSKEY 256 3 5 > AwEAAbhCVInOCVKWoaeWFmCHfO0SW4MAEWiM2MrbR6q1fclgAa04Lkqu > c2Lp1xQ1ssO7rDYDLf8Uhe6EU6Xs56mRS5ZhHGiWwozrY4duxyAaYQUo > d6LuH0u5Q0VRUs5Yv5hh9YvVxR1iclbQleg6NDVVeMQU4lFWOnHbP6Md 2SNWptVV > se. 3600 IN DNSKEY 256 3 5 > AwEAAcWT6tpmgKhM53EgomdSmbai1MRzj0bA6wWfmkFRU7wkNgKAP/Z+ > 2Lc80W0EmNBwaT5mi2QDqKXCMXS4GgxNCNg5nOAgdcS2XqGYPFYNkETW > iTtjnO3MPSZb4i77BEpAP2OtbazmRBAeYVNYV61X8o6X3H808b4mRIFF VBeMacsR > se. 3600 IN DNSKEY 256 3 5 > AwEAAc3n4vV7f6TbRjSpfADcIBn+MDqzuFUo+s3b85wC8Tp+d1EDlLPF > /5GIR4Y3P+8u1OpPKuCCzurvfics/HiGQU3Jkv3wlFP5cZLBSpCiwazY > 253uJwXpItS+liP6AK+kOOwsEWTYxG6vvBodm/ASTbqs2FqokFTPLW74 lTOp51a5 > se. 3600 IN RRSIG DNSKEY 5 1 3600 20070704234724 20070628060616 55323 se. > YXrv/m8r7cJgBXvI8RSGWnijl+P+5e+zrYeeIaBVKZkgAA3kt4+F16h7 > hlEG/WBRR45lQUk+0A79hly/MkXQ11TgoJWd18t6YLDrkYkzL7Mu8XhU > ohyTcXowVjICf8GjYwROofql2Gavb1ixsWu8HDj1V9PfOc5y7xdiPzFg Fnc= > se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 6166 se. > HAhEV9y1pe52qxK5kwkYQtGQr7uyJgfONWUbiY/j1sJLL4O9jP9TEP+d > 5dNaPodc67IOChQ4kxqVDieqlHns7NsVA8yu2TaQkujS9jfp5fgewhlE > 5NFEdBgsn1HZJXlAW+OtxqDYvNVien0072XNkGXpc5GtWpA2b6ky1aZ5 > RAZHAoXO1gFa1qRdXlcsvLzdpe/SglFHCLCcfW3cSoVgRTfHGwQbncjg > Qjg6ldDvZYpHYLZE/jMxh7BVzUxRugAx0PpGn4D3n/Y8dfUBTRU3f9El > b+7NRyvSaFwXEx3OfPpAN4fmB0PUhWcuT02XPYL6zYYkW7b5Y5kr0mgf aoBasQ== > se. 3600 IN RRSIG DNSKEY 5 1 3600 20070714000000 20070601133943 17686 se. > nhpLK0Vt+CSH6GqIBbbNigrx2WivrH14tgXfAYhjMM5bnuTXHaYvmgJ9 > 1pjxgK8rAVJu2VOCapXyVonEK9hCUCsN7IjENgUdDrjwiWP7ECIU3zqa > eI3bjpEEgp3ZLEuVrfARkvyv29quztcbiATLxLHjRtu6V4K7riCCch8B > zVo7v8FyXbpCNf3u4ixNe6vpouAQbAUQeyGc+MIdzdhLfzcHFLbBtq1a > YTTiOP6PtxVsCyUomuV9P0yOoM4pmpfTPR26Nu50E5yRxTAh83a2zckJ > FlSyGYM3thCZwlLzjQyNPcARb/LU2HgX+2/Cqpymg3IVeLvMV2C5i0Q0 B0RYgQ== > > ;; AUTHORITY SECTION: > se. 172800 IN NS f.ns.se. > se. 172800 IN NS g.ns.se. > se. 172800 IN NS h.ns.se. > se. 172800 IN NS i.ns.se. > se. 172800 IN NS a.ns.se. > se. 172800 IN NS b.ns.se. > se. 172800 IN NS c.ns.se. > se. 172800 IN NS d.ns.se. > se. 172800 IN NS e.ns.se. > se. 172800 IN RRSIG NS 5 1 172800 20070704040612 20070628160615 55323 se. > Jkngk4Hw3xbuo0sJynmKBhcFWJdKAgd4XoZLpVc9Vi0NKI7IUdqUY7VN > +bGNpGo8oqNN7GkBo46Pk8puIuuyGhmXsaeTGnAC+yreN0T9beJsr+C4 > hnIjvIDI926qTj/DE3L7P7fuFrUBCkQWgarKNOT2UZNtTE7+wHP2HiK1 8T4= > > ;; ADDITIONAL SECTION: > a.ns.se. 172800 IN A 192.36.144.107 > a.ns.se. 172800 IN AAAA 2001:698:9:301::53 > b.ns.se. 172800 IN A 192.36.133.107 > c.ns.se. 172800 IN A 192.36.135.107 > d.ns.se. 172800 IN A 81.228.8.16 > e.ns.se. 172800 IN A 81.228.10.57 > f.ns.se. 172800 IN A 192.71.53.53 > f.ns.se. 172800 IN AAAA 2a01:280:1:53::53 > g.ns.se. 172800 IN A 130.239.5.114 > g.ns.se. 172800 IN AAAA 2001:6b0:e:3::1 > h.ns.se. 172800 IN A 199.7.49.30 > i.ns.se. 172800 IN A 194.146.106.22 > a.ns.se. 172800 IN RRSIG A 5 3 172800 20070705081735 20070628160615 55323 > se. SSHbBWugXQUNAvh4t3xMgFR0ii7GliFahJNLHNuoZl+RTpgLgBLi7dIx > JpxswqXpoiHD9r84TJcpw2RSsK4BHmL009vFual17wQ8kzbTHn7hlLce > lJREMWnRUeNDAW1x6VkDlXnqqToftUfXs6U6NhxCUv0rpPuu24qR67lH Wik= > a.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704094109 20070628160615 > 55323 se. Ow9XU/2UbAfqIJ8LFXkdPVPENA7ueLHpa7jai7IjqnpzlPwNDIKbnSKM > CQC/fvC55RZQpw1kIU0FsLeyxEukChb7suM242tjjTj1a/aT8mW5aEBh > /gQfRHSTAcDuoV4NCn2w85U3OU4FSrr7+z92EM0myZEUyKyJ+ioU31tM cZc= > b.ns.se. 172800 IN RRSIG A 5 3 172800 20070704185325 20070628160615 55323 > se. h3dnpUyB9gL3ilLJKFFuednhLynv3Qv92Nd3gqD6ryEMqtKlhgaIDYve > umH+BnmaR84IS5wy92uwgodkx8l1OGTG3ygsKV8TzSbc2MHDE1M2hwnx > 99tbJhfB1kYJrFm0nCeER7SRmmhfrEjbIbdOCjZebufbEU6Yb67pGYmt BBg= > c.ns.se. 172800 IN RRSIG A 5 3 172800 20070705123252 20070628160615 55323 > se. JgcchMFmx+xfIcne8qlpd4VutOmfooG+jGKDEMpTWoViK6olMp8pIMWh > QwwO8Zl5Y1c3eE21Y2gUx10hJb40i6uVnLnFOnVhXewhch6B1SDk7Rac > p4fZXuNqG/bCgaWYoorvayhgO42trU+Ci9ini2EciB0JXljg7ABp6v6i 9k0= > d.ns.se. 172800 IN RRSIG A 5 3 172800 20070705045153 20070628160615 55323 > se. NFHM/OXoEzci4Qt62vIYW9YxGzg4ImooHqgd/FPqmTzsRaT1lq9zGZT0 > 9z7iOeDwKzqKqdbBPZ6APX6rJj+KnPYe5ROcM2wKYlZFcbJ9OvmJszAr > OHaB8pBNI0mP9ZPVV5mRsX/zcaR7gj9FGoMamxLVd9uJgTB33mC2lKA7 21k= > e.ns.se. 172800 IN RRSIG A 5 3 172800 20070705050847 20070628160615 55323 > se. E5bM0781LqP8mYsvs0c1lQ3Y7rcQYv8clrBj8aHuOXg6y+20DL0CgETO > WwviHAqZOU4X6vmz3bq2n0s7ipQblvYXDLCZKq5kIDfEiBUyKMlEqie1 > YOckxIdvACaZ1kBlk9+wl9q8CtJB1K72QtLlPS+gyhYlTq9CXGENjHCP S7U= > f.ns.se. 172800 IN RRSIG A 5 3 172800 20070704161415 20070628160615 55323 > se. lncq+1XHqXhKA7sdTPmjrmSfGELRUTBSIHMQXwWTZlEVz32gvQqAeARt > JgKbVpQWgRMmWfclS/oObEO+nJ9Y55ZX1q+f0v/43Sl1fhRu0gVmKxp6 > unncN33igSj0gyoasN+nxNx3dWCnEOvTnVlTaaETzDkHrFa7tRGqSQZM 9Ok= > f.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704203230 20070628160615 > 55323 se. k0FH9krK5wBN6ZUXlZcz7kQFyNRRXIluWbotwtSs+NnFOs+A+7vb5Jr1 > 5UejzTqbIco3hMfqepFoJOeHnINpq4DeDc707mLqTB2lC5Nai/sN8EDz > qN4JV6twWUYibnmfcU5EZgafCVex7sOrstmPHMTIIIwVFAnS3LhP86LG agE= > g.ns.se. 172800 IN RRSIG A 5 3 172800 20070705154614 20070628160615 55323 > se. Yix5IF/G30/nYKCLMb+nhQCD8m4FhBR9AzSdTeccTJH65K3nG9GKkbF6 > gXqkR/AuZCFuBdEsxrbDqJJy45yHRbCOLy5OYT7B7QPUjollEW1CvPZZ > slnyOnRGsSyrKZuxW0/glkHgO7gEz1f10uknoCyNXMb3mD/Pe0XN2hn4 fDI= > g.ns.se. 172800 IN RRSIG AAAA 5 3 172800 20070704162506 20070628160615 > 55323 se. ae2vkkPwOHFUCMFICpIJNK2Vpg3yOQIuivKkYCPs7tC/0D7erpLcG1hr > E4D92FY7zsNk4agO8Kq1clV5Nl+zKAtbypRADSTGAELHtLl74s6/MFdY > xUcp/mHqI9pSc50lysjS3QhVhVji8po8On7TY1IoWgICSncSd1A20fWs w00= > h.ns.se. 172800 IN RRSIG A 5 3 172800 20070704141412 20070628160615 55323 > se. joAM/dvlx/1LrPdZXpR9er9AUScuTNelbpDz7aig/O4+ZHSS3cFyNEVc > aD8jumAwrDA/OGVfutvw6xsR+Bl7RO+RVfDHQOGlB8Ws1McpBtwhtET4 > etM0uTpC88mvhRLLPY3fnhhNkum6vGZKOv/aKyz7RStIBtsU7mn0OL2v QlA= > > ;; Query time: 59 msec > ;; SERVER: 192.36.144.107#53(192.36.144.107) > ;; WHEN: Thu Jun 28 21:21:57 2007 > ;; MSG SIZE rcvd: 4088 > > 21:21 amd64# dmesg > post.dig > 21:22 amd64# diff pre.dig post.dig > 269a270,274 >> pf_normalize_ip: reass frag 48998 @ 0-1480 >> pf_normalize_ip: reass frag 48998 @ 1480-2960 >> pf_normalize_ip: reass frag 48998 @ 2960-4096 >> pf_reassemble: 4096 < 4096? >> pf_reassemble: complete: 0xffffff00049c6e00(4116) > 21:22 amd64# exit > > Script done on Thu Jun 28 21:22:05 2007 >