[Bug 197648] ipfw reass ineffective after upgrade to 10.1
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Feb 14 17:32:21 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197648
Bug ID: 197648
Summary: ipfw reass ineffective after upgrade to 10.1
Product: Base System
Version: 10.1-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: bsd at rdls.net
Just upgraded a bridging firewall from 10.0 to 10.1-RELEASE-p5. The first rule
is:
reass all from any to any in
The only time I receive fragmented UDP packets is when my DNS server attempts
to resolve www.freebsd.org, as it returns large UDP packets which are
fragmented over my broadband connection:
17:09:54.182826 IP 81.5.134.122.49514 > 63.243.194.1.53: 36047 [1au] A?
wfe0.ysv.freebsd.org. (49)
17:09:54.202100 IP 63.243.194.1.53 > 81.5.134.122.49514: 36047*- 2/4/11 A
8.8.178.110, RRSIG (1424)
I added the reass rule in 10.0 and it's been working perfectly. I upgraded to
10.1-RELEASE-p5 and everything else works as expected except that
www.freebsd.org does not resolve.
I added:
allow ip from any to any frag
...just after the check-state rule, and that fixed the problem (but only after
the reass rule was first deleted).
It seems that the reass rule is absorbing fragments but not passing them
perhaps. This bridging firewall only sees IPv4 traffic. Tcpdump shows the
response packet on the external interface and the bridge interface, but not the
internal interface.
A sanitised version of the rules are here:
http://rdls.net/dl/bridge/rc.firewall.local
uname -a:
FreeBSD motoko.rdls.net 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27
08:55:07 UTC 2015
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list