From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 20:54:09 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3A7E216A46C for ; Thu, 28 Jun 2007 20:54:09 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id C207E13C457 for ; Thu, 28 Jun 2007 20:54:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.176.39] (helo=[192.168.4.160]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1I41083Iaw-00046x; Thu, 28 Jun 2007 22:54:05 +0200 From: Max Laier Organization: FreeBSD To: "Vadym Chepkov" Date: Thu, 28 Jun 2007 22:56:01 +0200 User-Agent: KMail/1.9.6 References: <20070528224225.GC40678@registro.br> <200706282134.26140.max@love2party.net> <009f01c7b9bc$b7a3bd20$c40a0a0a@chepkov.lan> In-Reply-To: <009f01c7b9bc$b7a3bd20$c40a0a0a@chepkov.lan> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1649234.KhUMJNcvLm"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706282256.10397.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+wrEuEq65N+rvGdnk8bfxaXD+qaTmsPA8uXoH 0Xv9AC2vrjysesY60nB/1WJKThLzNDq5sl1PrWjV8vSAAcv2Ep L9rgypC5QRUgQjUZ+d56iB2MJK5BAZ8AFWAp8RJweM= Cc: Hugo Koji Kobayashi , freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 20:54:09 -0000 --nextPart1649234.KhUMJNcvLm Content-Type: multipart/mixed; boundary="Boundary-01=_jBChGvBpz/2jKbS" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_jBChGvBpz/2jKbS Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Please don't top post, fixed ] On Thursday 28 June 2007, Vadym Chepkov wrote: > From: "Max Laier" , Thursday, June 28, 2007 3:34 PM > > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > > > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > > > Just to confirm I'm testing the right > > > > cases, my setup looks like: > > > > > > > > Host1 Host2 Host3 > > > > > > > > netsend -> pf scrub -> pf scrub -> netreceive > > > > > > I'm not sure I understood your setup. Why there are 3 hosts? > > > > In order to test scrub on forward and receiver at the same time (but > > taking Host2 out of the stream doesn't change the result). > > > > > I think a query should be sth like this: > > > > > > Client[netsend->pf scrub] -> Internet -> DNS server > > > > > > And the response should be: > > > > > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > > > > > Everthing works as expected with various UDP payloads > MTU. > > > > > > Are you saying that you're able to receive responses to the > > > following dig command when it's run from a client machine running > > > pf scrub? > > > > > > dig @a.ns.se se dnskey +dnssec +bufsize=3D4500 > > > > > > This query is supposed to receive a DNS answer of more than 4KB. > > > > See the attached script I did just now. > > > > The only thing common about your setup seems to be the bge(4) NIC.=20 > > Can you try disabling hardware checksumming (ifconfig -txcsum > > -rxcsum)? My test is over a hardware checksumming fxp(4) card, > > though. > > Yes, this eliminated the issue. Bug in bge driver? Kind of - the driver claims to have done UDP checksum testing on the=20 fragment (which is impossible). The attached patch should fix the issue=20 for bge(4) and any other similar NIC. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_jBChGvBpz/2jKbS Content-Type: text/x-diff; charset="iso-8859-6"; name="frag_csum.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="frag_csum.diff" Index: pf_norm.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_norm.c,v retrieving revision 1.17 diff -u -r1.17 pf_norm.c =2D-- pf_norm.c 25 Mar 2006 21:15:25 -0000 1.17 +++ pf_norm.c 28 Jun 2007 20:49:33 -0000 @@ -411,6 +411,11 @@ /* Strip off ip header */ m->m_data +=3D hlen; m->m_len -=3D hlen; +#ifdef __FreeBSD__ + /* Checksum is not applicable to the reassembled packet */ + m->m_pkthdr.csum_flags &=3D ~(CSUM_IP_CHECKED | CSUM_IP_VALID |=20 + CSUM_DATA_VALID | CSUM_PSEUDO_HDR); +#endif =20 /* Create a new reassembly queue for this packet */ if (*frag =3D=3D NULL) { --Boundary-01=_jBChGvBpz/2jKbS-- --nextPart1649234.KhUMJNcvLm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGhCBqXyyEoT62BG0RAourAJ49FbP63nxiFrHGGL2T1YdG4NJJnACeMesC GPdZulUbQfCL9NdWAiW1j/E= =ZvGF -----END PGP SIGNATURE----- --nextPart1649234.KhUMJNcvLm--