AW: Fragmented packets are not redirected

Spenst, Aleksej Aleksej.Spenst at harman.com
Fri Oct 17 10:14:45 UTC 2014 

Hi All,

I'm thinking about how I can debug this problem.
I enable logging for blocked packets (block log-all all). My pf.conf looks approximately so: 

scrub in on wlan0 all
rdr on wlan0 proto udp from any to (self) port 9870 -> 192.168.0.1 port 9870
block log-all all
pass on wlan0 all

The fragmented packets are not redirected to 192.168.0.1, but they are also not blocked since I don't see them in logs (with tcpdump -i pflog0). Where do they disappear? Are they just silently discarded by pf?

I also tried to add "log-all" to the scrub rule:

scrub in log-all on wlan0 all

--> I don't see anything from this rule in the logs as well!

My another question is about the option "set debug <level>" that one can write at the beginning of the pf.conf. What is this debug level for? I thought that there is only one way to debug pf rules: with this "log"/"log-all" keyword and pflog0 interface. Is this debug level some other kind of debugging? When I write the option "set debug none" in the pf.conf, I still can see all packets logged at the pflog0 interface. So, is it something different?

Thanks!
Aleksej.





-----Ursprüngliche Nachricht-----
Von: Spenst, Aleksej 
Gesendet: Dienstag, 14. Oktober 2014 16:03
An: Kristof Provost
Cc: freebsd-pf at freebsd.org
Betreff: AW: Fragmented packets are not redirected

Hi Kristof,

Thank you for your answer.
I read that "fragment reassemble" is the default behavior of scrub. So, "scrub in" and "scrub in fragment reassemble" is the same. But just to be sure I've also tried it already -> didn't help.

Regards,
Aleksej.


-----Ursprüngliche Nachricht-----
Von: Kristof Provost [mailto:kristof at sigsegv.be]
Gesendet: Dienstag, 14. Oktober 2014 15:57
An: Spenst, Aleksej
Cc: freebsd-pf at freebsd.org
Betreff: Re: Fragmented packets are not redirected

On 2014-10-14 09:33:44 (+0000), Spenst, Aleksej <Aleksej.Spenst at harman.com> wrote:
> It is clear that if the IP fragments are not reassembled at the server 
> they cannot be redirected since the redirection rule is written for 
> UDP packets. That is why I have this scrub rule at the very beginning 
> of my pf.conf:
> 
> scrub in on wlan0 all
> 
> I thought that this rule should reassemble all the incoming fragments.
> The reassembled UDP packets should be then correctly passed through 
> the rdr rule and redirected to my PC. But this does not happen.
> 
I think that you want 'scrub in on wlan0 all fragment reassemble'.

Regards,
Kristof



Von: Spenst, Aleksej 
Gesendet: Dienstag, 14. Oktober 2014 11:34
An: freebsd-pf at freebsd.org
Betreff: Fragmented packets are not redirected

Hi All,

I have one problem with redirection of the fragmented packets. My use case:

A mobile phone sends the RTP video stream to my server. The server has the pf installed. All RTP packets are redirected from the server to my PC:

|Mobile|------>---RTP---->-----|Server|------->---RTP--->-----|PC|

The small RTP packets are redirected to my PC without any problems.
The problem is with the large RTP packets that are fragmented and transmitted in several IP fragments. These IP fragments are not redirected to PC. The redirection rule at the server:

rdr on wlan0 proto udp from any to (self) port 9870 -> 192.168.0.1 port 9870

     | S e r v e r |
->--|wlan0      eth0|-->-------|PC 192.168.0.1|

It is clear that if the IP fragments are not reassembled at the server they cannot be redirected since the redirection rule is written for UDP packets. That is why I have this scrub rule at the very beginning of my pf.conf:

scrub in on wlan0 all

I thought that this rule should reassemble all the incoming fragments. The reassembled UDP packets should be then correctly passed through the rdr rule and redirected to my PC. But this does not happen. 

Do you have any ideas/tips?

Thanks a lot!
Aleksej.

More information about the freebsd-pf mailing list