On Tue, Sep 16, 2014 at 12:20 AM, Alexander Salmin <alexan...@salmin.biz> wrote:
> Did you see it in previous versions? > I would compare the same ruleset with a fresh 5.5 and see if you > experience the same and in that case continue compare the relevant > sourcecode. > The behaviour is the same as far back as 5.4 at least. I have another one. With the "pass quick all" rule-set. of I send: 09:34:28.490074 00:25:90:c1:f1:8c 01:00:5e:40:68:01 0800 1514: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 49575:1480@0+) [ttl 1] twice within 60s (frag timer ?) I get: Sep 16 09:34:28.490095 rule def/(match) pass in on em0: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 49575:1480@0+) [ttl 1] I see this a lot in our production and test environment, but there it is triggered without the duplicate packet. Example from live firewall. Traffic: pf0.swe1# tcpdump -n -i vlan57 host 10.69.48.14 and not tcp tcpdump: listening on vlan57, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 09:51:56.710780 10.69.48.14.5404 > 239.192.104.1.5405: udp 75 (DF) [ttl 1] 09:51:56.711161 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27013:1480@0+) [ttl 1] 09:51:56.711163 10.69.48.14 > 239.192.104.1: (frag 27013:1@1480) [ttl 1] 09:51:56.711164 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27014:1480@0+) [ttl 1] 09:51:56.711166 10.69.48.14 > 239.192.104.1: (frag 27014:1@1480) [ttl 1] 09:51:56.711167 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27015:1480@0+) [ttl 1] 09:51:56.711168 10.69.48.14 > 239.192.104.1: (frag 27015:1@1480) [ttl 1] 09:51:56.711169 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27016:1480@0+) [ttl 1] 09:51:56.711171 10.69.48.14 > 239.192.104.1: (frag 27016:1@1480) [ttl 1] 09:51:56.711172 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27017:1480@0+) [ttl 1] 09:51:56.711173 10.69.48.14 > 239.192.104.1: (frag 27017:1@1480) [ttl 1] 09:51:56.711175 10.69.48.14.5404 > 239.192.104.1.5405: udp 617 (DF) [ttl 1] 09:51:56.713383 10.69.48.14.5404 > 239.192.104.1.5405: udp 753 (DF) [ttl 1] 09:51:56.724606 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27018:1480@0+) [ttl 1] 09:51:56.724608 10.69.48.14 > 239.192.104.1: (frag 27018:1@1480) [ttl 1] 09:51:56.724609 10.69.48.14.5404 > 239.192.104.1.5405: udp 707 (DF) [ttl 1] 09:51:56.724986 10.69.48.14.5404 > 239.192.104.1.5405: udp 1412 (DF) [ttl 1] 09:51:56.730168 10.69.48.14.5404 > 239.192.104.1.5405: udp 650 (DF) [ttl 1] ^C Log: pf0.swe1# tcpdump -n -e -ttt -i pflog0 host 10.69.48.14 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Sep 16 09:51:56.711185 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27013:1480@0+) [ttl 1] tcpdump: WARNING: compensating for unaligned libpcap packets Sep 16 09:51:56.711190 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27014:1480@0+) [ttl 1] Sep 16 09:51:56.711194 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27015:1480@0+) [ttl 1] Sep 16 09:51:56.711198 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27016:1480@0+) [ttl 1] Sep 16 09:51:56.711202 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27017:1480@0+) [ttl 1] Sep 16 09:51:56.724622 rule def/(match) pass in on vlan57: 10.69.48.14.5404 > 239.192.104.1.5405: udp 1473 (frag 27018:1480@0+) [ttl 1] ^C 20 packets received by filter 0 packets dropped by kernel pf0.swe1# There is no rule that should log this in the live firewalls. Happens on 5.4 and 5.5, if memory serves me right I saw it on 5.3's also. Assistance with understanding this would be appreciated. I will use free time slots to look at the code, but due to limited knowledge and skills it is quite time consuming. Regards Tony
