From owner-freebsd-pf@FreeBSD.ORG Wed Apr 5 13:39:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4529416A41F; Wed, 5 Apr 2006 13:39:32 +0000 (UTC) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB34343D46; Wed, 5 Apr 2006 13:39:31 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 246391CC53; Wed, 5 Apr 2006 09:39:31 -0400 (EDT) Date: Wed, 5 Apr 2006 09:39:31 -0400 From: Adam McDougall To: Daniel Hartmeier Message-ID: <20060405133930.GV14961@egr.msu.edu> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060405130645.GB5683@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2006 13:39:32 -0000 On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > The other big problem that just crossed my mind: Reassembly in the bridge > path!? It doesn't look like the current bridge code on either OS is ready to > deal with packets > MTU coming out of the filter. The question here is > probably how much IP processing we want to do in the bridge code? This is also something I came across while evaluating pf+if_bridge on FreeBSD. NFS fragment reassembly was the first repeatable offender, and then I found I could wedge the outgoing interface in OACTIVE with a simple ping -s 8000. I've also seen my internal interface wedge in OACTIVE mode after several (10+?) ruleset reloads, with unapparent cause. OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted ip_fragment() so it could be called from there, and not too much code had to be duplicated. if ((len - ETHER_HDR_LEN) > dst_if->if_mtu) bridge_fragment(sc, dst_if, &eh, m); else { ... bridge_ifenqueue(sc, dst_if, m); ... } bridge_fragment() error = ip_fragment(m, ifp, ifp->if_mtu); if (error) { m = NULL; goto dropit; } for (; m; m = m0) { m0 = m->m_nextpkt; m->m_nextpkt = NULL; ... error = bridge_ifenqueue(sc, ifp, m); ... } That's one more layer violation in bridge, but stateful filtering basically requires fragment reassembly, at least in general. Daniel _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"