PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in ip[6]_output)

Thu, 18 Dec 2014 02:29:52 -0800 

On 2014-11-09 21:15, Kristof Provost wrote:

On 2014-11-09 14:30:55 (+0100), Ilya Bakulin <i...@bakulin.de> wrote:

On 07.11.14, 14:31, Kristof Provost wrote:

You can find the patch series here:
http://www.sigsegv.be/files/pf_inet6_frag.tar
and everything in one big patch here:
http://www.sigsegv.be/files/pf_inet6_frag.patch

It's not cleaned up yet, or even extensively tested.
Basically the only testing that's been done is setting up a pf config to 
drop all traffic except icmp echo requests, and then sending out
fragmented icmp echo requests. Without the patch those get dropped, with 
the patch they make it through the firewall.
I've done some quick flood ping testing, so I'm reasonably confident it
doesn't leak mbufs.

I started from the OpenBSD work, and imported and adjusted their inet6
defragmentation patches.

Regards,
Kristof


Hi Kristof,

I have tested your patchset and it works!
Apart from testing with fragmented ICMPv6 requests, I've performed an UDP test using Scapy:
pkt=IPv6(dst="fdf9:37e3:7c53::100:2")/IPv6ExtHdrFragment()/UDP(dport=8000)/("a" * 10000) 
pktlist = fragment6(pkt, 1000)
send(pktlist)
fdf9:37e3:7c53::100:2 in this case is the address of my FreeBSD 11-CURRENT VM running with your patch.
sending pktlist on wire results in 11 packets being sent, they all get reassembled by PF and I can receive 
the data if I start nc on UDP port 8000.
What I want to do is to do the test with overlapping fragments (that should be dropped because overlapping IPv6 fragments are forbidden) 
and maybe some other non-typical packets.
At this poing I would like to ask clusteradm@ (CC'ed) to at least look at this patchet. The distinction between CROP and DROP that was dropped upstream is IMHO not important :-) I highly doubt that it makes any difference to anyone, and parcticularly at FreeBSD cluster. On the other hand, clusteradm@ people have complained about missing IPv6 fragment support -- so here is the solution. 

--
Ilya

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to