FreeBSD bridge + filtering, BIG problem

Max Laier max at love2party.net
Mon Dec 6 06:23:16 PST 2004 

On Monday 06 December 2004 03:47, Pyun YongHyeon wrote:
> On Sun, Dec 05, 2004 at 07:17:05PM -0500, Josh Kayse wrote:
>
> [...]
>
>  > I managed to get your patch to apply to FreeBSD RELENG_5.
>  >
>  > I have a question about the bridge_fragment function though.  Would
>  > this prevent packets from linux NFS clients from working, the
>  > fragmented ones with the DF flag set?  Thanks for any information.
>
> I guess this has nothing to do with bridge. AFAIK, linux is known
> to generate fragmented packets with DF bit set. Normally, scrub
> rule of pf drops the fragmented packet that was told not to
> framgent(i.e. DF bit set)
> You may need an additional option "no-df" to pass the packet in
> scrub rule.
>
>  > I'll post the patch later if anyone wants it.  It hasn't been
>
> Great! I believe, your patch would be quite useful to FreeBSD
> pf/ipf users.
>
>  > thoroughly tested but is currently running on a bridge setup in my
>  > test lab with my work machine behind it.
>
> One note, don't be fooled by "netstat -m" output after patching your
> system. Its statistics were broken on 5.3R. For instance, on my P3 SMP:
>
> 19926 mbufs in use
> 4294938777/19136 mbuf clusters in use (current/max)
> ^^^^^^^^^^^^^^^^
> 0/4/5040 sfbufs in use (current/peak/max)
> 4142247 KBytes allocated to network
> ^^^^^^^^^^^^^^
> 0 requests for sfbufs denied
> 0 requests for sfbufs delayed
> 0 requests for I/O initiated by sendfile
> 270 calls to protocol drain routines

$vmstat -z | grep -i mbuf

Has atomic counters that should[tm] be correct. So double-check with that 
command.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041206/25064bef/attachment.bin

More information about the freebsd-pf mailing list