Yeah back in the day the fragment reassembly code was not there yet, so there
is a choice either to drop all the fragments on the floor, or rely on the
receiving TCP stack to drop the non-initial fragments, like IOS did. There is a
knob that allows you to choose the behavior between the two by flipping the
value of l4_match_nonfirst_fragment.
Though we should not create a session for the non-initial fragments, since
there is no full 5-tuple, do you think you might put together a make test
testcase so we can ensure it is behaving properly ?
I am now working on porting the TupleMerge approach that Valerio Bruschi did.
There the fragments will be going into a separate code path, and it might be
possible to add an option for reassembly then.
--a
> On 8 May 2018, at 11:02, emma sdi <s3m2e1.6s...@gmail.com> wrote:
>
> Dear vpp folks
>
> I have a simple topology and a permit+reflect rule for udp on
> destination port 1000 as pasted in this link.
> I send a big file from 172.20.1.2 to 172.20.1.1 port 1001 with
> nc and I receive some packets (non first fragment) in second
> client (172.20.1.1).
>
> Following are commands I used in this sce nario.
> Clinet 172.20.1.2 > cat /dev/sda | nc -u 172.20.1.1 1001
>
> Client 172.20.1.1> tcpdump -nn -i eth1
> 01:13:38.164466 IP 172.20.1.2 > 172.20.1.1: ip-proto-17
> 01:13:38.164467 IP 172.20.1.2 > 172.20.1.1: ip-proto-17
> 01:13:38.164468 IP 172.20.1.2 > 172.20.1.1: ip-proto-17
> 01:13:38.164469 IP 172.20.1.2 > 172.20.1.1: ip-proto-17
>
> Output of 'show trace' is stored in this link , First packet matched
> with acl 1 and dropped but second fragment of that packet is matched
> with acl 0 and a session created for that. So I dig more in
> source code, and I found this block in hash_acl_add function:
>
> if (am->l4_match_nonfirst_fragment) {
> /* add the second rule which matches the noninitial fragments with the
> respective mask */
> make_mask_and_match_from_rule(&mask, &a->rules[i], &ace_info, 1);
> ace_info.mask_type_index = assign_mask_type_index(am, &mask);
> ace_info.match.pkt.mask_type_index_lsb = ace_info.mask_type_index;
> DBG("ACE: %d (non-initial frags) mask_type_index: %d", i,
> ace_info.mask_type_index);
> /* Ensure a given index is set in the mask type index bitmap for this
> ACL */
> ha->mask_type_index_bitmap =
> clib_bitmap_set(ha->mask_type_index_bitmap, ace_info.mask_type_index, 1);
> vec_add1(ha->rules, ace_info);
> }
>
> We make 3-tuple rule for non first fragment packets, this code solved
> the IP fragment problem in a simple and inaccurate way. I think we
> need a buffer for fragments like netfilter-conntract.
>
> Regards,
> Khers
>
>
>
>
>
