udp fragmentation
Hugo Koji Kobayashi
koji at registro.br
Mon Jun 4 19:44:32 UTC 2007
Hi Max,
pf is running on the DNS client machine. The DNS server is on a
completely different network (I don't control this server). The client
can send the udp request with no problem (it's a small udp datagram;
less than 512 bytes), the server sends the udp response fragmented,
but the client can't receive it.
Please, find attached a new test with the requested information.
Regards,
Hugo
On Sat, Jun 02, 2007 at 05:04:52PM +0200, Max Laier wrote:
> Hi Hugo,
>
> On Thursday 31 May 2007, Hugo Koji Kobayashi wrote:
> > Please find attached the tests results after enabling extended
> > logging.
> >
> > I've done the test twice, changing dig's "+bufsize" parameter.
>
> looking at your log file, it seems that the packet traverses pf alright:
>
> > ---- Console begin
> > pf_normalize_ip: reass frag 11881 @ 0-1480
> > pf_normalize_ip: reass frag 11881 @ 1480-2960
> > pf_normalize_ip: reass frag 11881 @ 2960-4094
> > pf_reassemble: 4094 < 4094?
> > pf_reassemble: complete: 0xc4338000(4114)
> > ---- Console end
> >
> > fbsd7# date ; pfctl -si
> > Tue May 8 04:15:24 BRT 2007
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> > Status: Enabled for 0 days 00:05:27 Debug: Misc
> >
> > Hostid: 0xfd3ea603
> >
> > State Table Total Rate
> > current entries 3
> > searches 405 1.2/s
> > inserts 40 0.1/s
> > removals 37 0.1/s
> > Counters
> > match 40 0.1/s
> > bad-offset 0 0.0/s
> > fragment 0 0.0/s
> > short 0 0.0/s
> > normalize 0 0.0/s
> > memory 0 0.0/s
> > bad-timestamp 0 0.0/s
> > congestion 0 0.0/s
> > ip-option 0 0.0/s
> > proto-cksum 0 0.0/s
> > state-mismatch 0 0.0/s
> > state-insert 0 0.0/s
> > state-limit 0 0.0/s
> > src-limit 0 0.0/s
> > synproxy 0 0.0/s
>
> So the culprit should be somewhere up the stack. i.e. FreeBSD chokes on
> the already reassembled packet. Could you also provide netstat -ssp udp
> and netstat -ssp ip from before and after your test to get an idea where
> the packet is lost? To make sure I understand your setup correctly: pf
> is running on the DNS server i.e. the destination address of the datagram
> is a local address?
>
> --
> /"\ Best regards, | mlaier at freebsd.org
> \ / Max Laier | ICQ #67774661
> X http://pf4freebsd.love2party.net/ | mlaier at EFnet
> / \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
fbsd7# date ; pfctl -si
Tue May 8 07:59:57 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:25:01 Debug: Misc
Hostid: 0xfd3ea603
State Table Total Rate
current entries 5
searches 975 0.6/s
inserts 42 0.0/s
removals 37 0.0/s
Counters
match 42 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
fbsd7# date ; pfctl -xm
Tue May 8 08:00:00 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
debug level set to 'misc'
fbsd7# date ; pfctl -si
Tue May 8 08:00:03 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:25:07 Debug: Misc
Hostid: 0xfd3ea603
State Table Total Rate
current entries 5
searches 989 0.7/s
inserts 42 0.0/s
removals 37 0.0/s
Counters
match 42 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
fbsd7# date; netstat -ssp udp
Tue May 8 08:00:06 BRT 2007
udp:
36 datagrams received
2 with bad checksum
34 delivered
40 datagrams output
fbsd7# date; netstat -ssp ip
Tue May 8 08:00:09 BRT 2007
ip:
521 total packets received
514 packets for this host
489 packets sent from this host
fbsd7# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
---- Console begin
pf_normalize_ip: reass frag 43470 @ 0-1480
pf_normalize_ip: reass frag 43470 @ 1480-2960
pf_normalize_ip: reass frag 43470 @ 2960-4094
pf_reassemble: 4096 < 4096?
pf_reassemble: complete: 0x433bb00(4116)
---- Console end
fbsd7# date; netstat -ssp udp
Tue May 8 08:00:19 BRT 2007
udp:
36 datagrams received
3 with bad checksum
33 delivered
41 datagrams output
fbsd7# date; netstat -ssp ip
Tue May 8 08:00:24 BRT 2007
ip:
533 total packets received
523 packets for this host
501 packets sent from this host
fbsd7# date ; pfctl -si
Tue May 8 08:00:27 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:25:31 Debug: Misc
Hostid: 0xfd3ea603
State Table Total Rate
current entries 5
searches 1031 0.7/s
inserts 43 0.0/s
removals 38 0.0/s
Counters
match 43 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
More information about the freebsd-pf
mailing list