[Bug 197648] ipfw reass ineffective after upgrade to 10.1

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Feb 14 17:32:21 UTC 2015


            Bug ID: 197648
           Summary: ipfw reass ineffective after upgrade to 10.1
           Product: Base System
           Version: 10.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: bsd at rdls.net

Just upgraded a bridging firewall from 10.0 to 10.1-RELEASE-p5. The first rule
 reass all from any to any in

The only time I receive fragmented UDP packets is when my DNS server attempts
to resolve www.freebsd.org, as it returns large UDP packets which are
fragmented over my broadband connection:

17:09:54.182826 IP > 36047 [1au] A?
wfe0.ysv.freebsd.org. (49)
17:09:54.202100 IP > 36047*- 2/4/11 A, RRSIG (1424)

I added the reass rule in 10.0 and it's been working perfectly. I upgraded to
10.1-RELEASE-p5 and everything else works as expected except that
www.freebsd.org does not resolve.

I added:
 allow ip from any to any frag

...just after the check-state rule, and that fixed the problem (but only after
the reass rule was first deleted).

It seems that the reass rule is absorbing fragments but not passing them
perhaps. This bridging firewall only sees IPv4 traffic. Tcpdump shows the
response packet on the external interface and the bridge interface, but not the
internal interface.

A sanitised version of the rules are here:

uname -a:
 FreeBSD motoko.rdls.net 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27
08:55:07 UTC 2015    
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list