On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote:
On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote:
> The other big problem that just crossed my mind: Reassembly in the bridge
> path!? It doesn't look like the current bridge code on either OS is ready
to
> deal with packets > MTU coming out of the filter. The question here is
> probably how much IP processing we want to do in the bridge code?
OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted
ip_fragment() so it could be called from there, and not too much code
had to be duplicated.
if ((len - ETHER_HDR_LEN) > dst_if->if_mtu)
bridge_fragment(sc, dst_if, &eh, m);
else {
...
bridge_ifenqueue(sc, dst_if, m);
...
}
bridge_fragment()
error = ip_fragment(m, ifp, ifp->if_mtu);
if (error) {
m = NULL;
goto dropit;
}
for (; m; m = m0) {
m0 = m->m_nextpkt;
m->m_nextpkt = NULL;
...
error = bridge_ifenqueue(sc, ifp, m);
...
}
That's one more layer violation in bridge, but stateful filtering
basically requires fragment reassembly, at least in general.
Daniel
Would it be possible to get bridge reassembly and even a quick and
dirty patch to fixup the checksum on every packet into FreeBSD soon?
I have 4 firewalls to deploy this summer, the simplest and smallest one
first which would benefit from these fixes but could probably get away
without them. For my largest one I would prefer to use fragment
reassembly to improve the accuracy of my ruleset, but I can't risk a
jumbo packet wedging my firewalls, and of course bad checksum packets
are useless. Using pf in routing mode is undesirable for my situations.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
