Checksumming outgoing packets in PF vs in ip[6]_output
Kristof Provost
kristof at sigsegv.be
Sun Nov 9 20:16:01 UTC 2014
On 2014-11-09 14:30:55 (+0100), Ilya Bakulin <ilya at bakulin.de> wrote:
> On 07.11.14, 14:31, Kristof Provost wrote:
> > I've been playing with it too. I have a patch which seems to be working,
> > but it currently drops the distinction between PFRULE_FRAGCROP and
> > PFRULE_FRAGDROP. OpenBSD dropped that a while ago, but I figured FreeBSD
> > wouldn't want user-visible changes.
> >
> > I've been meaning to look at that some more but ... ENOTIME.
> > It's tentatively planned as a project for Chaos Congress (end of
> > December), but no promises.
> >
> > If you like I can probably dig up the (non-clean) patches for you.
> >
> Yes, please do it, would be interesting to look at your code!
>
You can find the patch series here:
http://www.sigsegv.be/files/pf_inet6_frag.tar
and everything in one big patch here:
http://www.sigsegv.be/files/pf_inet6_frag.patch
It's not cleaned up yet, or even extensively tested.
Basically the only testing that's been done is setting up a pf config to
drop all traffic except icmp echo requests, and then sending out
fragmented icmp echo requests. Without the patch those get dropped, with
the patch they make it through the firewall.
I've done some quick flood ping testing, so I'm reasonably confident it
doesn't leak mbufs.
I started from the OpenBSD work, and imported and adjusted their inet6
defragmentation patches.
Regards,
Kristof
More information about the freebsd-net
mailing list