PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in ip[6]_output)
Ilya Bakulin
ilya at bakulin.de
Thu Dec 18 10:29:03 UTC 2014
On 2014-11-09 21:15, Kristof Provost wrote:
> On 2014-11-09 14:30:55 (+0100), Ilya Bakulin <ilya at bakulin.de> wrote:
>> On 07.11.14, 14:31, Kristof Provost wrote:
> You can find the patch series here:
> http://www.sigsegv.be/files/pf_inet6_frag.tar
> and everything in one big patch here:
> http://www.sigsegv.be/files/pf_inet6_frag.patch
>
> It's not cleaned up yet, or even extensively tested.
> Basically the only testing that's been done is setting up a pf config
> to
> drop all traffic except icmp echo requests, and then sending out
> fragmented icmp echo requests. Without the patch those get dropped,
> with
> the patch they make it through the firewall.
> I've done some quick flood ping testing, so I'm reasonably confident it
> doesn't leak mbufs.
>
> I started from the OpenBSD work, and imported and adjusted their inet6
> defragmentation patches.
>
> Regards,
> Kristof
Hi Kristof,
I have tested your patchset and it works!
Apart from testing with fragmented ICMPv6 requests, I've performed an
UDP test using Scapy:
>>> pkt=IPv6(dst="fdf9:37e3:7c53::100:2")/IPv6ExtHdrFragment()/UDP(dport=8000)/("a"
>>> * 10000)
>>> pktlist = fragment6(pkt, 1000)
>>> send(pktlist)
fdf9:37e3:7c53::100:2 in this case is the address of my FreeBSD
11-CURRENT VM running with your patch.
sending pktlist on wire results in 11 packets being sent, they all get
reassembled by PF and I can receive
the data if I start nc on UDP port 8000.
What I want to do is to do the test with overlapping fragments (that
should be dropped because overlapping IPv6 fragments are forbidden)
and maybe some other non-typical packets.
At this poing I would like to ask clusteradm@ (CC'ed) to at least look
at this patchet. The distinction between CROP and DROP that was dropped
upstream is IMHO not important :-) I highly doubt that it makes any
difference to anyone, and parcticularly at FreeBSD cluster. On the other
hand,
clusteradm@ people have complained about missing IPv6 fragment support
-- so here is the solution.
--
Ilya
More information about the freebsd-pf
mailing list