[ Please don't top post, fixed ] On Thursday 28 June 2007, Vadym Chepkov wrote: > From: "Max Laier" <[EMAIL PROTECTED]>, Thursday, June 28, 2007 3:34 PM > > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote: > > > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote: > > > > Just to confirm I'm testing the right > > > > cases, my setup looks like: > > > > > > > > Host1 Host2 Host3 > > > > > > > > netsend -> pf scrub -> pf scrub -> netreceive > > > > > > I'm not sure I understood your setup. Why there are 3 hosts? > > > > In order to test scrub on forward and receiver at the same time (but > > taking Host2 out of the stream doesn't change the result). > > > > > I think a query should be sth like this: > > > > > > Client[netsend->pf scrub] -> Internet -> DNS server > > > > > > And the response should be: > > > > > > DNS server -> Internet -> Client[pf scrub->netreceive] > > > > > > > Everthing works as expected with various UDP payloads > MTU. > > > > > > Are you saying that you're able to receive responses to the > > > following dig command when it's run from a client machine running > > > pf scrub? > > > > > > dig @a.ns.se se dnskey +dnssec +bufsize=4500 > > > > > > This query is supposed to receive a DNS answer of more than 4KB. > > > > See the attached script I did just now. > > > > The only thing common about your setup seems to be the bge(4) NIC. > > Can you try disabling hardware checksumming (ifconfig -txcsum > > -rxcsum)? My test is over a hardware checksumming fxp(4) card, > > though. > > Yes, this eliminated the issue. Bug in bge driver?
Kind of - the driver claims to have done UDP checksum testing on the fragment (which is impossible). The attached patch should fix the issue for bge(4) and any other similar NIC. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
Index: pf_norm.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_norm.c,v
retrieving revision 1.17
diff -u -r1.17 pf_norm.c
--- pf_norm.c 25 Mar 2006 21:15:25 -0000 1.17
+++ pf_norm.c 28 Jun 2007 20:49:33 -0000
@@ -411,6 +411,11 @@
/* Strip off ip header */
m->m_data += hlen;
m->m_len -= hlen;
+#ifdef __FreeBSD__
+ /* Checksum is not applicable to the reassembled packet */
+ m->m_pkthdr.csum_flags &= ~(CSUM_IP_CHECKED | CSUM_IP_VALID |
+ CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
+#endif
/* Create a new reassembly queue for this packet */
if (*frag == NULL) {
pgpfsAq6VZjiU.pgp
Description: PGP signature
