broken ip checksum after frag reassemble of nfs READDIR?
Matthieu Michaud
matthieu.michaud at epita.info
Tue Apr 11 22:56:52 UTC 2006
On Tue, 2006-04-04 at 16:57 +0200, Daniel Hartmeier wrote:
> It begins to look like OpenBSD does fix IP checksums on bridges outside
> of pf, while FreeBSD doesn't.
>
> The weird thing is that I haven't found where exactly this happens. It's
> kind of a layer violation for bridge code to do that, but maybe it's
> somewhere else along the code path.
>
> Instead of adding checksum fixup code again, I think it's better to take
> a step back and find out why the checksums are correct on OpenBSD. The
> previous fixes assumed the checksums would be wrong on OpenBSD as well,
> but they related to pf actions more subtle than basic fragment
> reassembly.
i noticed a nfs freeze which might be related to the same issue. the
setup is : one bridge with four interfaces (dc driver) + clients and
servers on dc1 and dc2. bridge, client and server are running
6.0-RELEASE-p6 with pf. dc0 is my external interface where i apply
filtering. pf does not filter on three others (set skip {dc1, dc2,
dc3}). ls -R /mnt from client to server on the same interface works
well. but if it goes through different interfaces it freezes after few
entries. i changed the transport protocol from udp to tcp and it fixed
it. can it be related to udp handling ?
i have an other question out of this topic. i read on openbsd pf's faq
that filtering on only one interface is highly recommended. can you give
me more information about that ?
--
Matthieu Michaud <matthieu.michaud at epita.info>
EPITA SRS 2007 - Adaptive Hacking
More information about the freebsd-pf
mailing list