pgt, for me, has proven to be more reliable than ral, but this
annoying scrubbing/mss issue is starting to get to me. Any
recommendations for the best place to look in the source to address
this? The only time I've really worked with C was in college and on a
few ports here and there, but I'm nearing my wit's end with this.
Thanks and Happy Holidays.
On 11/2/07, Daniel Melameth <[EMAIL PROTECTED]> wrote:
> I was able to reproduce this issue with a clean installation of 4.2 as
> well�so long as the AP uses pgt, pf's scrub is broken. Thoughts?
>
> On 10/31/07, Daniel Melameth <[EMAIL PROTECTED]> wrote:
> > I recently changed my 4.1-stable AP from ral to pgt only to find pf not
> > scrubbing packets anymore. To make this confusion more simple, I made a
> > temporary simple pf.conf:
> >
> > $ sudo cat /etc/pf.conf
> > external_if = "pppoe0"
> >
> > set debug loud
> >
> > scrub in on $external_if all
> > scrub out on $external_if all max-mss 1452
> >
> > nat on $external_if from ! $external_if -> ( $external_if )
> >
> > block in log on $external_if
> >
> > pass out quick on $external_if inet proto tcp to any
> > pass out quick on $external_if inet proto { udp, gre, icmp } to any
> >
> > block out log on $external_if
> >
> >
> > With this ruleset I now have the following:
> >
> > $ sudo pfctl -vvs rules
> > @0 scrub in on pppoe0 all fragment reassemble
> > [ Evaluations: 2051 Packets: 292 Bytes: 45542 States: 0
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> > @1 scrub out on pppoe0 all max-mss 1452 fragment reassemble
> > [ Evaluations: 236 Packets: 236 Bytes: 9859 States: 0
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> > @0 block drop in log on pppoe0 all
> > [ Evaluations: 831 Packets: 4 Bytes: 1092 States: 0
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> > @1 pass out quick on pppoe0 inet proto tcp all flags S/SA keep state
> > [ Evaluations: 32 Packets: 242 Bytes: 55041 States: 7
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> > @2 pass out quick on pppoe0 inet proto udp all keep state
> > [ Evaluations: 19 Packets: 23 Bytes: 3049 States: 3
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> > @3 pass out quick on pppoe0 inet proto gre all keep state
> > [ Evaluations: 7 Packets: 0 Bytes: 0 States: 0
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> > @4 pass out quick on pppoe0 inet proto icmp all keep state
> > [ Evaluations: 7 Packets: 0 Bytes: 0 States: 0
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> > @5 block drop out log on pppoe0 all
> > [ Evaluations: 7 Packets: 7 Bytes: 280 States: 0
> > ]
> > [ Inserted: uid 0 pid 10012 ]
> >
> >
> > However, a simple visit to a web site when using pgt shows scrub is not
> > scrubbing as my mss is 1460:
> >
> > $ sudo tcpdump -ni pppoe0 port 80
> > tcpdump: listening on pppoe0, link-type PPP_ETHER
> > 12:05:46.892243 x.y.101.219.58561 > 64.37.182.61.80: S
> > 2341795589:2341795589(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> > (DF)
> > 12:05:46.969268 64.37.182.61.80 > x.y.101.219.58561: S
> > 3585146952:3585146952(0) ack 2341795590 win 8190 <mss 1460>
> > 12:05:46.970368 x.y.101.219.58561 > 64.37.182.61.80: . ack 1 win 17520
(DF)
> > 12:05:46.970902 x.y.101.219.58561 > 64.37.182.61.80: P 1:642(641) ack 1
win
> > 17520 (DF)
> > 12:05:47.056958 64.37.182.61.80 > x.y.101.219.58561: P 1:636(635) ack 642
> > win 19200 (DF)
> > 12:05:47.060172 x.y.101.219.58561 > 64.37.182.61.80: P 642:1347(705) ack
636
> > win 16885 (DF)
> > 12:05:47.151883 64.37.182.61.80 > x.y.101.219.58561: P 3556:3780(224) ack
> > 1347 win 8190
> > 12:05:47.152153 64.37.182.61.80 > x.y.101.219.58561: P 2096:2100(4) ack
1347
> > win 8190 (frag 55634:[EMAIL PROTECTED])
> > 12:05:47.153298 x.y.101.219.58561 > 64.37.182.61.80: . ack 636 win 16885
> > (DF)
> > 12:05:47.156386 x.y.101.219.58561 > 64.37.182.61.80: . ack 636 win 16885
> > (DF)
> >
> >
> > But if I simply put the ral card back and reboot, scrub works again-and
this
> > is reproducible.
> >
> > $ sudo tcpdump -ni pppoe0 port 80
> > tcpdump: listening on pppoe0, link-type PPP_ETHER
> > 11:14:32.100411 x.y.115.226.53842 > 64.37.182.61.80: S
> > 3135555284:3135555284(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
> > (DF)
> > 11:14:32.176738 64.37.182.61.80 > x.y.115.226.53842: S
> > 2437399687:2437399687(0) ack 3135555285 win 8190 <mss 1452>
> > 11:14:32.177300 x.y.115.226.53842 > 64.37.182.61.80: . ack 1 win 17424
(DF)
> > 11:14:32.177661 x.y.115.226.53842 > 64.37.182.61.80: P 1:642(641) ack 1
win
> > 17424 (DF)
> > 11:14:32.263894 64.37.182.61.80 > x.y.115.226.53842: P 1:636(635) ack 642
> > win 32767 (DF)
> > 11:14:32.266375 x.y.115.226.53842 > 64.37.182.61.80: P 642:1347(705) ack
636
> > win 16789 (DF)
> > 11:14:32.360790 64.37.182.61.80 > x.y.115.226.53842: P 636:2088(1452) ack
> > 1347 win 8190 (DF)
> > 11:14:32.361099 64.37.182.61.80 > x.y.115.226.53842: P 3540:3773(233) ack
> > 1347 win 8190
> >
> >
> > I don't get it. I haven't had much sleep, but what's missing here? The
> > hostname.if for the ral and pgt cards are identical.
> >
> >
> > For what it's worth, here's the output from pf debug load during the
session
> > when using the pgt card:
> >
> > Oct 31 12:05:46 meth /bsd: pf_map_addr: selected address x.y.101.219
> > Oct 31 12:05:47 meth /bsd: pf_normalize_ip: reass frag 21209 @ 0-24
> > Oct 31 12:05:47 meth /bsd: pf_normalize_ip: reass frag 21209 @ 24-1480
> > Oct 31 12:05:47 meth /bsd: pf_reassemble: 1480 < 1480?
> > Oct 31 12:05:47 meth /bsd: pf_reassemble: complete: 0xd6aeb100(1500)
