pf and fragmented packets
Olivier Cochard-Labbé
olivier at cochard.me
Wed Jan 8 19:49:11 UTC 2014
On Sat, Dec 28, 2013 at 9:39 AM, Rui Paulo <rpaulo at freebsd.org> wrote:
>
> The second problem happens with large UDP packets. If I change the rule
> "scrub on $ext_if all fragment reassemble" to "scrub on $ext_if all
> reassemble tcp fragment reassemble", I can see the UDP packets going out
> correctly translated, but if I send a large UDP packet (> MTU), pf sends
> the reassembled packet as a large packet which exceeds the MTU.
>
Hi,
I've reached to reproduce this problem on 10.0-RC5, but only using pf in
"transparent mode" (on a bridge) under a Virtualbox lab:
VM1 ===== VM2(pf,scrub,bridge) ===== VM3
** VM2 configuration **
/etc/rc.conf:
ifconfig_em1="up"
ifconfig_em2="up"
pf_enable="yes"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em1 addm em2 up"
/etc/pf.conf:
set skip on lo0
scrub (automatically converted to "scrub all fragment reassemble")
pass (automatically converted to "pass all flags S/SA keep state")
** VM1 configuration **
/etc/rc.conf:
ifconfig_em1="inet 10.0.23.2/24"
** VM3 configuration **
/etc/rc.conf:
ifconfig_em2="inet 10.0.23.4/24"
Now, from VM1, I generate fragmented UDP traffic toward VM3 with netblast:
netblast 10.0.23.4 9090 1800 1
And I run tcpdump on VM2(firewall) on the ingress interface is correct:
20:44:09.150865 IP (tos 0x0, ttl 64, id 36516, offset 0, flags [+], proto
UDP (17), length 1500)
10.0.23.2.15187 > 10.0.23.4.9090: UDP, length 1800
20:44:09.150936 IP (tos 0x0, ttl 64, id 36516, offset 1480, flags [none],
proto UDP (17), length 348)
10.0.23.2 > 10.0.23.4: ip-proto-17
But on the egress interface of VM2(firewall) there is a problem:
20:45:26.591384 20:00:40:11:68:be > 45:00:05:dc:aa:4d, ethertype Unknown
(0x0a00), length 1500:
0x0000: 1702 0a00 1704 28cf 2382 0710 6373 0000 ......(.#...cs..
0x0010: 0004 0000 0000 0000 0000 0000 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
(etc...)
20:45:26.591403 00:b9:40:11:8c:85 > 45:00:01:5c:aa:4d, ethertype Unknown
(0x0a00), length 348:
0x0000: 1702 0a00 1704 0000 0000 0000 0000 0000 ................
0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
(etc...
Regards,
Olivier
More information about the freebsd-pf
mailing list