FreeBSD bridge + filtering, BIG problem
Pyun YongHyeon
yongari at kt-is.co.kr
Sun Dec 5 18:47:05 PST 2004
On Sun, Dec 05, 2004 at 07:17:05PM -0500, Josh Kayse wrote:
[...]
>
> I managed to get your patch to apply to FreeBSD RELENG_5.
>
> I have a question about the bridge_fragment function though. Would
> this prevent packets from linux NFS clients from working, the
> fragmented ones with the DF flag set? Thanks for any information.
>
I guess this has nothing to do with bridge. AFAIK, linux is known
to generate fragmented packets with DF bit set. Normally, scrub
rule of pf drops the fragmented packet that was told not to
framgent(i.e. DF bit set)
You may need an additional option "no-df" to pass the packet in
scrub rule.
> I'll post the patch later if anyone wants it. It hasn't been
Great! I believe, your patch would be quite useful to FreeBSD
pf/ipf users.
> thoroughly tested but is currently running on a bridge setup in my
> test lab with my work machine behind it.
>
One note, don't be fooled by "netstat -m" output after patching your
system. Its statistics were broken on 5.3R. For instance, on my P3 SMP:
19926 mbufs in use
4294938777/19136 mbuf clusters in use (current/max)
^^^^^^^^^^^^^^^^
0/4/5040 sfbufs in use (current/peak/max)
4142247 KBytes allocated to network
^^^^^^^^^^^^^^
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
270 calls to protocol drain routines
> -josh
>
> --
> Joshua Kayse
> Computer Engineering
--
Regards,
Pyun YongHyeon
http://www.kr.freebsd.org/~yongari | yongari at freebsd.org
More information about the freebsd-pf
mailing list