reassembled packets and pfil

Matthew Luckie mjl at luckie.org.nz
Tue Apr 13 07:36:57 UTC 2010 

>> Is there any particular reason why reassembled packets were not
>> checked?  If the answer is no, I'll send in a PR.
>
> I think it was just a random decision -- either pass packets to
> the firewall before reassembly as we do, or after reassembly, as
> linux does. Both have pros and cons.
> Going through the firewall twice, however, is problematic because
> far too many things (counters, dummynet, etc.) expect to see each
> packet only once.

ok, thanks for letting me know.

> I think that a patch like the one you propose is very useful (for
> ipv4 as well) but it requires a sysctl or other mechanism to make
> sure that when it is enabled we don't pass fragments through the
> firewall.

i've looked further into this and I now wonder if is a byproduct of my 
use of ipfw.  the problem seems to be that offset will always be 
non-zero with any packet with a v6 fragment header, so a rule requiring 
offset to be zero is never run.  i'll spend a bit more time on this 
tomorrow, and come back with a patch for ipfw.

Note this code:

   offset = ((struct ip6_frag *)ulp)->ip6f_offlg & IP6F_OFF_MASK;
   /* Add IP6F_MORE_FRAG for offset of first
    * fragment to be != 0. */
   offset |= ((struct ip6_frag *)ulp)->ip6f_offlg & IP6F_MORE_FRAG;
   if (offset == 0) {
     printf("IPFW2: IPV6 - Invalid Fragment Header\n");
     if (fw_deny_unknown_exthdrs)
       return (IP_FW_DENY);
     break;
   }

This code seems to be incorrect, per rfc 2460:

    In response to an IPv6 packet that is sent to an IPv4 destination
    (i.e., a packet that undergoes translation from IPv6 to IPv4), the
    originating IPv6 node may receive an ICMP Packet Too Big message
    reporting a Next-Hop MTU less than 1280.  In that case, the IPv6 node
    is not required to reduce the size of subsequent packets to less than
    1280, but must include a Fragment header in those packets so that the
    IPv6-to-IPv4 translating router can obtain a suitable Identification
    value to use in resulting IPv4 fragments.  Note that this means the
    payload may have to be reduced to 1232 octets (1280 minus 40 for the
    IPv6 header and 8 for the Fragment header), and smaller still if
    additional extension headers are used.

A stack can send an IPv6 packet with a fragment header attached that 
does not have the MF bit set.  I'm 90% sure that FreeBSD itself will do 
this when it receives a PTB with an MTU value of (say) 1000.

Matthew

More information about the freebsd-net mailing list