On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote:

  On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote:
  
  > The other big problem that just crossed my mind:  Reassembly in the bridge 
  > path!?  It doesn't look like the current bridge code on either OS is ready 
to 
  > deal with packets > MTU coming out of the filter.  The question here is 
  > probably how much IP processing we want to do in the bridge code?
  
  OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted
  ip_fragment() so it could be called from there, and not too much code
  had to be duplicated.
  
          if ((len - ETHER_HDR_LEN) > dst_if->if_mtu)
                  bridge_fragment(sc, dst_if, &eh, m);
          else {
                ...
                  bridge_ifenqueue(sc, dst_if, m);
                ...
          }
  
    bridge_fragment()
  
          error = ip_fragment(m, ifp, ifp->if_mtu);
          if (error) {
                  m = NULL;
                  goto dropit;
          }
          
          for (; m; m = m0) {
                  m0 = m->m_nextpkt;
                  m->m_nextpkt = NULL;
                ...
                error = bridge_ifenqueue(sc, ifp, m);
                ...
        }
  
  That's one more layer violation in bridge, but stateful filtering
  basically requires fragment reassembly, at least in general.
  
  Daniel


Would it be possible to get bridge reassembly and even a quick and 
dirty patch to fixup the checksum on every packet into FreeBSD soon?

I have 4 firewalls to deploy this summer, the simplest and smallest one
first which would benefit from these fixes but could probably get away
without them.  For my largest one I would prefer to use fragment
reassembly to improve the accuracy of my ruleset, but I can't risk a
jumbo packet wedging my firewalls, and of course bad checksum packets
are useless.  Using pf in routing mode is undesirable for my situations.

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to