Re: pf and fragmented packets

[Olivier Cochard-Labbé]

On Sat, Dec 28, 2013 at 9:39 AM, Rui Paulo <rpa...@freebsd.org> wrote:

>
> The second problem happens with large UDP packets.  If I change the rule
> "scrub on $ext_if all fragment reassemble" to "scrub on $ext_if all
> reassemble tcp fragment reassemble", I can see the UDP packets going out
> correctly translated, but if I send a large UDP packet (> MTU), pf sends
> the reassembled packet as a large packet which exceeds the MTU.
>

 Hi,

I've reached to reproduce this problem on 10.0-RC5, but only using pf in
"transparent mode" (on a bridge) under a Virtualbox lab:

VM1 ===== VM2(pf,scrub,bridge) ===== VM3


** VM2 configuration **

/etc/rc.conf:
ifconfig_em1="up"
ifconfig_em2="up"
pf_enable="yes"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em1 addm em2 up"

/etc/pf.conf:
set skip on lo0
scrub (automatically converted to "scrub all fragment reassemble")
pass (automatically converted to "pass all flags S/SA keep state")

** VM1 configuration **

/etc/rc.conf:
ifconfig_em1="inet 10.0.23.2/24"

** VM3 configuration **

/etc/rc.conf:
ifconfig_em2="inet 10.0.23.4/24"

Now, from VM1, I generate fragmented UDP traffic toward VM3 with netblast:
netblast 10.0.23.4 9090 1800 1

And I run tcpdump on VM2(firewall) on the ingress interface is correct:

20:44:09.150865 IP (tos 0x0, ttl 64, id 36516, offset 0, flags [+], proto
UDP (17), length 1500)
    10.0.23.2.15187 > 10.0.23.4.9090: UDP, length 1800
20:44:09.150936 IP (tos 0x0, ttl 64, id 36516, offset 1480, flags [none],
proto UDP (17), length 348)
    10.0.23.2 > 10.0.23.4: ip-proto-17

But on the egress interface of VM2(firewall) there is a problem:

20:45:26.591384 20:00:40:11:68:be > 45:00:05:dc:aa:4d, ethertype Unknown
(0x0a00), length 1500:
        0x0000:  1702 0a00 1704 28cf 2382 0710 6373 0000  ......(.#...cs..
        0x0010:  0004 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
(etc...)
20:45:26.591403 00:b9:40:11:8c:85 > 45:00:01:5c:aa:4d, ethertype Unknown
(0x0a00), length 348:
        0x0000:  1702 0a00 1704 0000 0000 0000 0000 0000  ................
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
(etc...

Regards,

Olivier
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"