kern/93849: pf no-df breaks IP checksum of all tcp traffic through
if_bridge
Adam McDougall
mcdouga9 at egr.msu.edu
Sat Feb 25 19:20:05 PST 2006
>Number: 93849
>Category: kern
>Synopsis: pf no-df breaks IP checksum of all tcp traffic through if_bridge
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 26 03:20:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Adam McDougall
>Release: FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006
>Organization:
>Environment:
FreeBSD fw1 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006 user at fw1:/usr/obj/usr/src/sys/TYAN_GS12 i386
>Description:
I have setup if_bridge and pf on a server with dual em interfaces
running FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006.
rc.conf relevant items: (The IP's are just for temporary management from
either side of the firewall as needed)
ifconfig_em0="inet 10.0.0.80 netmask 0xffffff00"
ifconfig_em0_alias0="inet 35.9.44.100 netmask 0xffffff00"
ifconfig_em1="inet 10.0.1.80 netmask 0xffffff00"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"
I have narrowed my ruleset down to a simple config for testing:
ext_if="em0"
int_if="em1"
scrub in on $ext_if no-df
pass in all
pass out all
pass quick on lo0
# pfctl -Rf /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub in on em0 all no-df fragment reassemble
pass in all
pass out all
pass quick on lo0 all
Whenever I have no-df in the scrub line, the bridging firewall still
passes my ssh SYN packet to the host behind the firewall, but the
receiving host discards it due to a bad IP checksum (I believe).
Using tcpdump on em0 and em1 on the firewall, I see the packet come in
with DF set, and leave with DF unset however the IP checksum is reported
bad on the em1 side according to ethereal. I verified that the IP checksum was unmodified between em0 and em1. I also tried ifconfig -rxcsum -txcsum on both nics but no improvement in behavior. Running tcpdump on the receiving host shows the SYN packet, but trying to use -w to save it
to a file results in no packets captured. All systems involved are FreeBSD
so far, and the symptoms persist going both directions across the bridge.
ping still works.
I am trying to get no-df to work because documentation indicates it is
needed to pass NFS which will be a requirement for me. I didn't get
very far with attempting to exclude just NFS traffic from being scrubbed,
but it seems to be that a firewall munging packets ought to produce ones
with valid checksums. Please let me know if I need to provide more information
or what else I can do to debug this further.
>How-To-Repeat:
Setup an if_bridge between two interfaces on freebsd, add a scrub no-df rule in pf, witness resulting tcp packets get dropped by the receiving host kernel.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list