I recently changed my 4.1-stable AP from ral to pgt only to find pf not
scrubbing packets anymore. To make this confusion more simple, I made a
temporary simple pf.conf:
$ sudo cat /etc/pf.conf
external_if = "pppoe0"
set debug loud
scrub in on $external_if all
scrub out on $external_if all max-mss 1452
nat on $external_if from ! $external_if -> ( $external_if )
block in log on $external_if
pass out quick on $external_if inet proto tcp to any
pass out quick on $external_if inet proto { udp, gre, icmp } to any
block out log on $external_if
With this ruleset I now have the following:
$ sudo pfctl -vvs rules
@0 scrub in on pppoe0 all fragment reassemble
[ Evaluations: 2051 Packets: 292 Bytes: 45542 States: 0
]
[ Inserted: uid 0 pid 10012 ]
@1 scrub out on pppoe0 all max-mss 1452 fragment reassemble
[ Evaluations: 236 Packets: 236 Bytes: 9859 States: 0
]
[ Inserted: uid 0 pid 10012 ]
@0 block drop in log on pppoe0 all
[ Evaluations: 831 Packets: 4 Bytes: 1092 States: 0
]
[ Inserted: uid 0 pid 10012 ]
@1 pass out quick on pppoe0 inet proto tcp all flags S/SA keep state
[ Evaluations: 32 Packets: 242 Bytes: 55041 States: 7
]
[ Inserted: uid 0 pid 10012 ]
@2 pass out quick on pppoe0 inet proto udp all keep state
[ Evaluations: 19 Packets: 23 Bytes: 3049 States: 3
]
[ Inserted: uid 0 pid 10012 ]
@3 pass out quick on pppoe0 inet proto gre all keep state
[ Evaluations: 7 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 10012 ]
@4 pass out quick on pppoe0 inet proto icmp all keep state
[ Evaluations: 7 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 10012 ]
@5 block drop out log on pppoe0 all
[ Evaluations: 7 Packets: 7 Bytes: 280 States: 0
]
[ Inserted: uid 0 pid 10012 ]
However, a simple visit to a web site when using pgt shows scrub is not
scrubbing as my mss is 1460:
$ sudo tcpdump -ni pppoe0 port 80
tcpdump: listening on pppoe0, link-type PPP_ETHER
12:05:46.892243 x.y.101.219.58561 > 64.37.182.61.80: S
2341795589:2341795589(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(DF)
12:05:46.969268 64.37.182.61.80 > x.y.101.219.58561: S
3585146952:3585146952(0) ack 2341795590 win 8190 <mss 1460>
12:05:46.970368 x.y.101.219.58561 > 64.37.182.61.80: . ack 1 win 17520 (DF)
12:05:46.970902 x.y.101.219.58561 > 64.37.182.61.80: P 1:642(641) ack 1 win
17520 (DF)
12:05:47.056958 64.37.182.61.80 > x.y.101.219.58561: P 1:636(635) ack 642
win 19200 (DF)
12:05:47.060172 x.y.101.219.58561 > 64.37.182.61.80: P 642:1347(705) ack 636
win 16885 (DF)
12:05:47.151883 64.37.182.61.80 > x.y.101.219.58561: P 3556:3780(224) ack
1347 win 8190
12:05:47.152153 64.37.182.61.80 > x.y.101.219.58561: P 2096:2100(4) ack 1347
win 8190 (frag 55634:[EMAIL PROTECTED])
12:05:47.153298 x.y.101.219.58561 > 64.37.182.61.80: . ack 636 win 16885
(DF)
12:05:47.156386 x.y.101.219.58561 > 64.37.182.61.80: . ack 636 win 16885
(DF)
But if I simply put the ral card back and reboot, scrub works again-and this
is reproducible.
$ sudo tcpdump -ni pppoe0 port 80
tcpdump: listening on pppoe0, link-type PPP_ETHER
11:14:32.100411 x.y.115.226.53842 > 64.37.182.61.80: S
3135555284:3135555284(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
(DF)
11:14:32.176738 64.37.182.61.80 > x.y.115.226.53842: S
2437399687:2437399687(0) ack 3135555285 win 8190 <mss 1452>
11:14:32.177300 x.y.115.226.53842 > 64.37.182.61.80: . ack 1 win 17424 (DF)
11:14:32.177661 x.y.115.226.53842 > 64.37.182.61.80: P 1:642(641) ack 1 win
17424 (DF)
11:14:32.263894 64.37.182.61.80 > x.y.115.226.53842: P 1:636(635) ack 642
win 32767 (DF)
11:14:32.266375 x.y.115.226.53842 > 64.37.182.61.80: P 642:1347(705) ack 636
win 16789 (DF)
11:14:32.360790 64.37.182.61.80 > x.y.115.226.53842: P 636:2088(1452) ack
1347 win 8190 (DF)
11:14:32.361099 64.37.182.61.80 > x.y.115.226.53842: P 3540:3773(233) ack
1347 win 8190
I don't get it. I haven't had much sleep, but what's missing here? The
hostname.if for the ral and pgt cards are identical.
For what it's worth, here's the output from pf debug load during the session
when using the pgt card:
Oct 31 12:05:46 meth /bsd: pf_map_addr: selected address x.y.101.219
Oct 31 12:05:47 meth /bsd: pf_normalize_ip: reass frag 21209 @ 0-24
Oct 31 12:05:47 meth /bsd: pf_normalize_ip: reass frag 21209 @ 24-1480
Oct 31 12:05:47 meth /bsd: pf_reassemble: 1480 < 1480?
Oct 31 12:05:47 meth /bsd: pf_reassemble: complete: 0xd6aeb100(1500)
