rdr rule does not work (bad hdr length)

Matthias Kellermann mk at adminlife.net
Tue Nov 4 01:52:11 PST 2008


Jeremy Chadwick wrote:
> On Tue, Nov 04, 2008 at 10:15:26AM +0100, Matthias Kellermann wrote:
>> # tcpdump -netttvvi pflog0
>> 000000 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 26668,
>> offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.54460 >
>> 192.168.0.10.23: [|tcp]
>> 000266 rule 0/0(match): pass out on sis0: (tos 0x10, ttl 64, id 25527,
>> offset 0, flags [DF], proto TCP (6), length 44) 192.168.0.51.54460 >
>> 192.168.0.10.23:  tcp 24 [bad hdr length 0 - too short, < 20]
>>
>> Anybody has an idea whats wrong here?
> 
> This is not a pf problem.  tcpdump's snaplen defaults to 56 bytes, which
> is too small when reading from pflog.  Use the -s flag to increase the
> snaplen to 256 bytes, for example.  
> 

Thanks Jeremy. Did that. This is the output of tcdump after increasing
the snaplen to 256 bytes:

# tcpdump -s 256 -netttvvi pflog0
000000 rule 0/0(match): pass in on sis0: (tos 0x10, ttl 64, id 23993,
offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.51.43758 >
192.168.0.10.23: S, cksum 0xeb13 (correct), 3072328535:3072328535(0) win
5840 <mss 1460,sackOK,timestamp 2383598 0,nop,wscale 6>
000319 rule 0/0(match): pass out on sis0: (tos 0x10, ttl 64, id 22314,
offset 0, flags [DF], proto TCP (6), length 44) 192.168.0.51.43758 >
192.168.0.10.23: S, cksum 0x4553 (correct), 108273612:108273612(0) win 0
<mss 1460>

I still have no clue whats going wrong here.

Regards,
Matthias


More information about the freebsd-pf mailing list