From owner-freebsd-pf@FreeBSD.ORG Mon Nov 10 08:46:32 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D3784953; Mon, 10 Nov 2014 08:46:32 +0000 (UTC) Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9ECB1D7; Mon, 10 Nov 2014 08:46:32 +0000 (UTC) Received: by mail-pa0-f50.google.com with SMTP id eu11so7880099pac.9 for ; Mon, 10 Nov 2014 00:46:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=kbZ9+K5iKnRI5hOwbPc3U5rxVXQybeSSEcCRvvRrYaI=; b=BdrYXoEsERTYPlnFFZPG/CRHLS7xATalxtfszeeOAuxuk+V2s2BIiVYUP6YzvfXkX9 exdgJZ0RNpWdZQ3KKNTtVpaj3bP7lNVS6ebEcPc4rhwEk+R3MiwIZnCjY9yWR8YDW64V YrxOfZmm58qs7gTl+c6lKCHbZO7mm9z9g2lbf/i5vaCxYc/Cz6MEa+SUpLeinDXgtYAG g2ATLP4KqndM/VuA6rWVHlzjc8m3X2+WMQS4mBadLcSYDnELhZ8Y2+N90AQshV1ZLj3H /bHvlSp/b5PU0ZYZ8DN0/rPuX/Cw9zTTtCkAfhNqs4/EOnQGZ9yNpx/gidtZsLxLXSEP k94A== MIME-Version: 1.0 X-Received: by 10.70.131.199 with SMTP id oo7mr2312805pdb.138.1415609192107; Mon, 10 Nov 2014 00:46:32 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Mon, 10 Nov 2014 00:46:32 -0800 (PST) In-Reply-To: References: Date: Mon, 10 Nov 2014 09:46:32 +0100 X-Google-Sender-Auth: 7Ni7ag8DIj0HEnyJymEX--eeyYs Message-ID: Subject: Re: [Bug 172648] [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: bugzilla-noreply@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2014 08:46:33 -0000 Give this patch inline a try: --- a/patches/releng/10.1/pf_reply-to.enahnce.diff +++ b/patches/releng/10.1/pf_reply-to.enahnce.diff @@ -1,8 +1,33 @@ +diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c +index 837b617..b6c37a9 100644 +--- a/sys/netinet6/ip6_output.c ++++ b/sys/netinet6/ip6_output.c +@@ -185,7 +185,7 @@ static int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int); + }\ + } while (/*CONSTCOND*/ 0) + +-static void ++void + in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset) + { + u_short csum; +diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h +index 70e487e..0d72b37 100644 +--- a/sys/netinet6/ip6_var.h ++++ b/sys/netinet6/ip6_var.h +@@ -445,6 +445,7 @@ int rip6_usrreq(struct socket *, + int dest6_input(struct mbuf **, int *, int); + int none_input(struct mbuf **, int *, int); + ++void in6_delayed_cksum(struct mbuf *, uint32_t, u_short); + int in6_selectsrc(struct sockaddr_in6 *, struct ip6_pktopts *, + struct inpcb *inp, struct route_in6 *, struct ucred *cred, + struct ifnet **, struct in6_addr *); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c -index 6bc7ce6..2ceaf0e 100644 +index a76d06e..257fae2 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c -@@ -343,11 +343,9 @@ do { \ +@@ -335,11 +335,9 @@ do { \ } \ if ((d) == PF_OUT && \ (((s)->rule.ptr->rt == PF_ROUTETO && \ @@ -17,7 +42,7 @@ index 6bc7ce6..2ceaf0e 100644 return (PF_PASS); \ } while (0) -@@ -5888,7 +5886,12 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, +@@ -5646,7 +5644,12 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, else if (r->rt == PF_ROUTETO && r->direction == dir && in_localip(ip->ip_dst)) return; @@ -31,7 +56,7 @@ index 6bc7ce6..2ceaf0e 100644 if (in_broadcast(ip->ip_dst, oifp)) /* XXX: LOCKING of address list?! */ return; -@@ -6127,7 +6130,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, +@@ -5885,7 +5888,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, } else if (r->rt == PF_ROUTETO && r->direction == dir && in6_localaddr(&ip6->ip6_dst)) return; @@ -45,3 +70,31 @@ index 6bc7ce6..2ceaf0e 100644 if (s && r->rt == PF_ROUTETO && pd->nat_rule != NULL && r->direction == PF_OUT && r->direction == dir && pd->pf_mtag->routed < 2) { +diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c +index dbd92f9..621a4f5 100644 +--- a/sys/netpfil/pf/pf_ioctl.c ++++ b/sys/netpfil/pf/pf_ioctl.c +@@ -72,6 +72,7 @@ __FBSDID("$FreeBSD$"); + #include + #include + #include ++#include + #include + + #ifdef INET6 +@@ -3690,12 +3691,9 @@ pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + int chk; + + /* We need a proper CSUM before we start (s. OpenBSD ip_output) */ +- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { +-#ifdef INET +- /* XXX-BZ copy&paste error from r126261? */ +- in_delayed_cksum(*m); +-#endif +- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; ++ if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) { ++ in6_delayed_cksum(*m, (*m)->m_pkthdr.len - sizeof(struct ip6_hdr), sizeof(struct ip6_hdr)); ++ (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; + } + CURVNET_SET(ifp->if_vnet); + chk = pf_test6(PF_OUT, ifp, m, inp); On Wed, Nov 5, 2014 at 3:29 PM, wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172648 > > Kurt Jaeger changed: > > What |Removed |Added > > ---------------------------------------------------------------------------- > CC| |pi@FreeBSD.org > > --- Comment #3 from Kurt Jaeger --- > See > > https://lists.freebsd.org/pipermail/freebsd-net/2014-November/040319.html > > -- > You are receiving this mail because: > You are the assignee for the bug. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Nov 10 15:14:22 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4147453C for ; Mon, 10 Nov 2014 15:14:22 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 283CFFBE for ; Mon, 10 Nov 2014 15:14:22 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAAFEMej006107 for ; Mon, 10 Nov 2014 15:14:22 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 172648] [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK Date: Mon, 10 Nov 2014 15:14:22 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.1-PRERELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: pi@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2014 15:14:22 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D172648 --- Comment #4 from Kurt Jaeger --- (In reply to Kurt Jaeger from comment #3) > See=20 >=20 > https://lists.freebsd.org/pipermail/freebsd-net/2014-November/040319.html Patch from Ermal Lu=C3=A7i inline in: https://lists.freebsd.org/pipermail/freebsd-pf/2014-November/007500.html --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@FreeBSD.ORG Thu Nov 13 19:17:55 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9ACC9620 for ; Thu, 13 Nov 2014 19:17:55 +0000 (UTC) Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 646BD915 for ; Thu, 13 Nov 2014 19:17:55 +0000 (UTC) Received: by mail-ie0-f171.google.com with SMTP id x19so16477982ier.30 for ; Thu, 13 Nov 2014 11:17:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=upxfRJoPykv8gAxjbpmGN3l4O1aOx7buhb08GnKH9mM=; b=FaCKaXM3rLUsJC+k1XPtmqHyulwXmeCR+IrPIxGg+fSliAq4FTFlGSnUp6OFJS4Qgh hQHENvwzKYc5r2xnbe6Q0VWJAa4j/Yjg9PFD5OX9zQ1kcE9NVntp5Tul1dIErQFydOB6 3uv/StiQX+xLGypnVcCBJWB+P+I9mRw2dfVMT8EFAto2WCJaSL1iPoEOJbI34iBJSeFP kbIsHDcdsDK7CLc3dSqzF23+lpEw7dG4DZKpEnsnAuUwmKeFPx+nCIdRkiyUCk0FrsVP +UQZc1XI9HyP3EET4C8xnBWtvZX+6SC9Atht7QFoc8njcnUmwAHwLqSnr2fkQXc/dBuI RZXg== MIME-Version: 1.0 X-Received: by 10.107.30.68 with SMTP id e65mr5041274ioe.9.1415906274666; Thu, 13 Nov 2014 11:17:54 -0800 (PST) Received: by 10.107.136.18 with HTTP; Thu, 13 Nov 2014 11:17:54 -0800 (PST) Date: Thu, 13 Nov 2014 14:17:54 -0500 Message-ID: Subject: VIMAGE/VNETs support for PF From: suraj sandhu To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2014 19:17:55 -0000 Hi all, I am working on a product which used ipfilter but since ipfilter is not supported by the FreeBSD community anymore and doesn't support VNETs, I need to make a choice between IPFW and PF. I know IPFW is supported and works with VIMAGE, can someone here please let me know if the PF also works with VIMAGE, specifically in FreeBSD 9? Thanks for any help, Suraj From owner-freebsd-pf@FreeBSD.ORG Thu Nov 13 20:30:52 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1B8796EE; Thu, 13 Nov 2014 20:30:52 +0000 (UTC) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D6904FB; Thu, 13 Nov 2014 20:30:51 +0000 (UTC) Received: by mail-ig0-f181.google.com with SMTP id l13so386778iga.14 for ; Thu, 13 Nov 2014 12:30:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=EYYrKEUZZxKeJpOyX7WRnVg3E+AF5z2QG2xMyV8AuHw=; b=lR9TrNwGL+gR69DoO/oPioVjg/1gE4yDi0PX4hJGr8IDIIPMeQCCp3jSWeOXBj5La/ 60XO0RktZh/Bg69j7aL+iKlREd22glEPJCirRo9VFtOQbV5e5wzoBYa7GxtxBCpGl9fx ut6bZQX0p0JgJkQQE3n6KOoKz+09Nff1Q6lokBCdrEjNmKdLh8KBZbz1+rrbmcFvUUIg 5a3PpOSCcbp7GIOHwRdAQN7N5ZEwNGSk+oHowFWDg2VTfIVHKicmqhqHf8pHgQrTxEXN b9qLn2jXyvwtDnGd2pWDLHp7A6Scch6uE56WMm2Uf6N9RXTd9vgrnI/9Ml4DXEYl0DMo E8kw== MIME-Version: 1.0 X-Received: by 10.50.66.227 with SMTP id i3mr1238079igt.25.1415910651227; Thu, 13 Nov 2014 12:30:51 -0800 (PST) Sender: jdavidlists@gmail.com Received: by 10.43.96.202 with HTTP; Thu, 13 Nov 2014 12:30:51 -0800 (PST) In-Reply-To: References: Date: Thu, 13 Nov 2014 15:30:51 -0500 X-Google-Sender-Auth: 06wtB3AUom5IvkrEtwySWyqkan0 Message-ID: Subject: Re: Checksumming outgoing packets in PF vs in ip[6]_output From: J David To: Ilya Bakulin Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-hackers@freebsd.org" , freebsd-net@freebsd.org, freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2014 20:30:52 -0000 On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin wrote: > Of course it was interesting what does the upstream PF do (@ OpenBSD). Seems > they have made the decision to > leave the task of recalculating the checksums for outgoing packets to > ip[6]_output, because currently > the code there overwrites the checksum anyway. > This seems a correct way to me. pf should not longer do any checksum updates > in inbound and outbound path. Is there any chance this change would help with bug 179392 as well? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 Or is that a separate issue? Thanks! From owner-freebsd-pf@FreeBSD.ORG Thu Nov 13 20:40:47 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECAAEAAC for ; Thu, 13 Nov 2014 20:40:47 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4306173 for ; Thu, 13 Nov 2014 20:40:47 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sADKeljT094086 for ; Thu, 13 Nov 2014 20:40:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 179392] [pf] [ip6] Incorrect TCP checksums in rdr return packets Date: Thu, 13 Nov 2014 20:40:46 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: pi@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2014 20:40:48 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 Kurt Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pi@FreeBSD.org --- Comment #7 from Kurt Jaeger --- (In reply to j.david.lists from comment #5) > We also have encountered this issue. > > PF not working properly with IPv6 seems like a very serious problem. > > What needs to happen in order to advance this issue? How can we help? > > Thanks! Can you look at a similar PR, 172648 and the suggested patch, and test it and report back ? -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 08:17:50 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BAE5B8EC; Fri, 14 Nov 2014 08:17:50 +0000 (UTC) Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 85C56111; Fri, 14 Nov 2014 08:17:50 +0000 (UTC) Received: by mail-pa0-f51.google.com with SMTP id ey11so235425pad.24 for ; Fri, 14 Nov 2014 00:17:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ze6ZEe9QWhS4n4LP42H1dgc2Zhq5Uv/mRTV2Uo23h8U=; b=zT0xhxOkl9CKxrCXTEKqOjx0FlQWmrn3osV4pU7gTkjXgN7uvfa5BuPVvatOt6L4Lc ApvO0p9PrNTqg4ASOZULKUGQqFpZtj1eZvJrtsFtc37fsKahfOCzw3drVvt4EP/Z0z0v bouWPhcd0Km9IU7/batqTyadgDma9YsgYarf+aUl/cpGLE2k4YfUdM0UMKRXVaji9Zhg 6BRTac9SPDmz0NdSPQL28OqJU9/sGRSEjdoFk3UCohJ/3cXTd9RKjsRGRzhWuaojygtf bjji3ymgZeZPyYgRKNVzGL1+TrFpuDuSSmWaXVMxIQfzcw5R1udmyDwYNtb7C5pl+u80 59cA== MIME-Version: 1.0 X-Received: by 10.70.53.102 with SMTP id a6mr8544073pdp.70.1415953070139; Fri, 14 Nov 2014 00:17:50 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Fri, 14 Nov 2014 00:17:50 -0800 (PST) In-Reply-To: References: Date: Fri, 14 Nov 2014 09:17:50 +0100 X-Google-Sender-Auth: guUO7D1MGPk71ej7uaY04b7D5CY Message-ID: Subject: Re: Checksumming outgoing packets in PF vs in ip[6]_output From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: J David Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-hackers@freebsd.org" , "freebsd-pf@freebsd.org" , freebsd-net X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 08:17:50 -0000 Yes confirmed it will solve that issue as well. On Thu, Nov 13, 2014 at 9:30 PM, J David wrote: > On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin wrote: > > Of course it was interesting what does the upstream PF do (@ OpenBSD). > Seems > > they have made the decision to > > leave the task of recalculating the checksums for outgoing packets to > > ip[6]_output, because currently > > the code there overwrites the checksum anyway. > > This seems a correct way to me. pf should not longer do any checksum > updates > > in inbound and outbound path. > > Is there any chance this change would help with bug 179392 as well? > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 > > Or is that a separate issue? > > Thanks! > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 10:34:51 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D0CAC05; Fri, 14 Nov 2014 10:34:51 +0000 (UTC) Received: from olymp.kibab.com (olymp6.kibab.com [IPv6:2a01:4f8:160:84c1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8BE92128; Fri, 14 Nov 2014 10:34:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 olymp.kibab.com 1098B7590E DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bakulin.de; s=default; t=1415961281; bh=9ywG89bEtG9dy5MvPGVU6+4GIYu7pNTWcZyeJDf8YgY=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=LZTjEbqeBBD3/VyIOjBSTJajq2keMz6gw3UdxARyGYJ/dXl9e418skybt1HllXnPF SvRKOgEa8C7fX/4RrbtoTeOIV+shq4P+L1wsKNoJY5YklU/7CJbYArrWNKthyOKQzg U6hXfUZQdBKn+v0zBcjFUPCUrb0lGsa4dnozQMxk= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 14 Nov 2014 11:34:40 +0100 From: Ilya Bakulin To: =?UTF-8?Q?Ermal_Lu=C3=A7i?= Subject: Re: [Bug 172648] [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK Organization: Deglitch Networks In-Reply-To: References: Message-ID: <48fa06babb4c371b69c8e3bb2a3e1cd3@mail.bakulin.de> X-Sender: ilya@bakulin.de Cc: owner-freebsd-pf@freebsd.org, bugzilla-noreply@freebsd.org, freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 10:34:51 -0000 Hi Ermal, unfortunately your inline patch seems to be broken, actually it is a patch for patch??? Please send a correct copy. On 2014-11-10 09:46, Ermal Luçi wrote: > Give this patch inline a try: > > --- a/patches/releng/10.1/pf_reply-to.enahnce.diff > +++ b/patches/releng/10.1/pf_reply-to.enahnce.diff > @@ -1,8 +1,33 @@ > +diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c > +index 837b617..b6c37a9 100644 > +--- a/sys/netinet6/ip6_output.c > ++++ b/sys/netinet6/ip6_output.c > +@@ -185,7 +185,7 @@ static int copypktopts(struct ip6_pktopts *, > struct ip6_pktopts *, int); > + }\ > + } while (/*CONSTCOND*/ 0) > + > +-static void > ++void > + in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset) > + { > + u_short csum; > +diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h > +index 70e487e..0d72b37 100644 > +--- a/sys/netinet6/ip6_var.h > ++++ b/sys/netinet6/ip6_var.h > +@@ -445,6 +445,7 @@ int rip6_usrreq(struct socket *, > + int dest6_input(struct mbuf **, int *, int); > + int none_input(struct mbuf **, int *, int); > + > ++void in6_delayed_cksum(struct mbuf *, uint32_t, u_short); > + int in6_selectsrc(struct sockaddr_in6 *, struct ip6_pktopts *, > + struct inpcb *inp, struct route_in6 *, struct ucred *cred, > + struct ifnet **, struct in6_addr *); > diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c > -index 6bc7ce6..2ceaf0e 100644 > +index a76d06e..257fae2 100644 > --- a/sys/netpfil/pf/pf.c > +++ b/sys/netpfil/pf/pf.c > -@@ -343,11 +343,9 @@ do { \ > +@@ -335,11 +335,9 @@ do { \ > } \ > if ((d) == PF_OUT && \ > (((s)->rule.ptr->rt == PF_ROUTETO && \ > @@ -17,7 +42,7 @@ index 6bc7ce6..2ceaf0e 100644 > return (PF_PASS); \ > } while (0) > > -@@ -5888,7 +5886,12 @@ pf_route(struct mbuf **m, struct pf_rule *r, > int dir, struct ifnet *oifp, > +@@ -5646,7 +5644,12 @@ pf_route(struct mbuf **m, struct pf_rule *r, > int dir, struct ifnet *oifp, > else if (r->rt == PF_ROUTETO && r->direction == dir && > in_localip(ip->ip_dst)) > return; > > @@ -31,7 +56,7 @@ index 6bc7ce6..2ceaf0e 100644 > if (in_broadcast(ip->ip_dst, oifp)) /* XXX: LOCKING of address > list?! */ > return; > > -@@ -6127,7 +6130,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r, > int dir, struct ifnet *oifp, > +@@ -5885,7 +5888,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r, > int dir, struct ifnet *oifp, > } else if (r->rt == PF_ROUTETO && r->direction == dir && > in6_localaddr(&ip6->ip6_dst)) > return; > > @@ -45,3 +70,31 @@ index 6bc7ce6..2ceaf0e 100644 > > if (s && r->rt == PF_ROUTETO && pd->nat_rule != NULL && > r->direction == PF_OUT && r->direction == dir && > pd->pf_mtag->routed < 2) { > +diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c > +index dbd92f9..621a4f5 100644 > +--- a/sys/netpfil/pf/pf_ioctl.c > ++++ b/sys/netpfil/pf/pf_ioctl.c > +@@ -72,6 +72,7 @@ __FBSDID("$FreeBSD$"); > + #include > + #include > + #include > ++#include > + #include > + > + #ifdef INET6 > +@@ -3690,12 +3691,9 @@ pf_check6_out(void *arg, struct mbuf **m, > struct ifnet *ifp, int dir, > + int chk; > + > + /* We need a proper CSUM before we start (s. OpenBSD ip_output) */ > +- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { > +-#ifdef INET > +- /* XXX-BZ copy&paste error from r126261? */ > +- in_delayed_cksum(*m); > +-#endif > +- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; > ++ if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) { > ++ in6_delayed_cksum(*m, (*m)->m_pkthdr.len - sizeof(struct ip6_hdr), > sizeof(struct ip6_hdr)); > ++ (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; > + } > + CURVNET_SET(ifp->if_vnet); > + chk = pf_test6(PF_OUT, ifp, m, inp); > > > On Wed, Nov 5, 2014 at 3:29 PM, wrote: > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172648 >> >> Kurt Jaeger changed: >> >> What |Removed |Added >> >> ---------------------------------------------------------------------------- >> CC| |pi@FreeBSD.org >> >> --- Comment #3 from Kurt Jaeger --- >> See >> >> https://lists.freebsd.org/pipermail/freebsd-net/2014-November/040319.html >> >> -- >> You are receiving this mail because: >> You are the assignee for the bug. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 10:34:53 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E1F2EC0B; Fri, 14 Nov 2014 10:34:53 +0000 (UTC) Received: from olymp.kibab.com (olymp.kibab.com [5.9.14.202]) by mx1.freebsd.org (Postfix) with ESMTP id 9D74312A; Fri, 14 Nov 2014 10:34:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 olymp.kibab.com AEC4E75918 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bakulin.de; s=default; t=1415961291; bh=CvZtRqwKdnunq6RdTxnUtVo2X0hUlxmaO4TuhJTgee8=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=GL2gScTGZ4laPADEyB4Q+42PfeET7vuONMay1nI7isYwEAiNZNMfCiZCFIL9es3Gl 0ygjGOLCQOtK0uOBBZyrylvNLSDw67e9c6aZAjLYLTMhuPtdY9X5cylxm4xz7ry4ur DsOosdJ2ev7wasKjT0PGcFEZoPsysbXKgeB5bE5U= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 14 Nov 2014 11:34:51 +0100 From: Ilya Bakulin To: =?UTF-8?Q?Ermal_Lu=C3=A7i?= Subject: Re: Checksumming outgoing packets in PF vs in =?UTF-8?Q?ip=5B=36=5D=5Foutput?= Organization: Deglitch Networks In-Reply-To: References: Message-ID: <9734b7d34828a102d9a2f5061c11ae3d@mail.bakulin.de> X-Sender: ilya@bakulin.de Cc: freebsd-hackers@freebsd.org, freebsd-net , owner-freebsd-net@freebsd.org, freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 10:34:54 -0000 Hi all, actually with _my_ checksumming patch the rdr-to is broken completely :-( So I'm waiting for Ermal to send an updated version of his patch that may really solve the problem! On 2014-11-14 09:17, Ermal Luçi wrote: > Yes confirmed it will solve that issue as well. > > On Thu, Nov 13, 2014 at 9:30 PM, J David > wrote: > >> On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin wrote: >> > Of course it was interesting what does the upstream PF do (@ OpenBSD). >> Seems >> > they have made the decision to >> > leave the task of recalculating the checksums for outgoing packets to >> > ip[6]_output, because currently >> > the code there overwrites the checksum anyway. >> > This seems a correct way to me. pf should not longer do any checksum >> updates >> > in inbound and outbound path. >> >> Is there any chance this change would help with bug 179392 as well? >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 >> >> Or is that a separate issue? >> >> Thanks! >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 11:57:20 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A58D71AF; Fri, 14 Nov 2014 11:57:20 +0000 (UTC) Received: from mail-pd0-x22b.google.com (mail-pd0-x22b.google.com [IPv6:2607:f8b0:400e:c02::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6B50AAF7; Fri, 14 Nov 2014 11:57:20 +0000 (UTC) Received: by mail-pd0-f171.google.com with SMTP id r10so16610539pdi.30 for ; Fri, 14 Nov 2014 03:57:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Z5hSeA4uiIDAQTvbBSZV1BFvEAkIXKm57wtpl+scDa0=; b=DEgkEGMX52pKynf+QiY988IEnrLAHbOnUx8dIUYW5Y0gqqgj25J5N3v2nzYXd2aq2n 0UifkBYFmfAQxTUQV7kwff1i3dJXfJOrdbbhKypOkkFXXHzXKRoJEA/mD42wlqOv7AR4 7a8OG9G3XPzF2kyHk4ySx4h7ReQEcImOVd5iHiH09OdjIGLnqxiIrFgpTy+np6jSFast WFcvzTBbA/MG2C3Bcdz5tVCUPNTN8NydlawKJ7b7xQ9jQ9GSc9cAlSEFCOgQEZSUzK6J dZW1ya3hdJEl7j9wRotitlqvtSuAY2V3V8Ptd9wcouxLX0I2gkOF7c/VX3zEd0ly7b1H E74g== MIME-Version: 1.0 X-Received: by 10.68.68.240 with SMTP id z16mr9624677pbt.70.1415966240025; Fri, 14 Nov 2014 03:57:20 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Fri, 14 Nov 2014 03:57:19 -0800 (PST) In-Reply-To: <9734b7d34828a102d9a2f5061c11ae3d@mail.bakulin.de> References: <9734b7d34828a102d9a2f5061c11ae3d@mail.bakulin.de> Date: Fri, 14 Nov 2014 12:57:19 +0100 X-Google-Sender-Auth: bHDfgzl280RyWYloSRkyZ4_5K3c Message-ID: Subject: Re: Checksumming outgoing packets in PF vs in ip[6]_output From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Ilya Bakulin Content-Type: multipart/mixed; boundary=001a113817fcc0512c0507d054a5 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Freebsd hackers list , freebsd-net , owner-freebsd-net@freebsd.org, "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 11:57:20 -0000 --001a113817fcc0512c0507d054a5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Here is a direct patch. Give it a try. For the reply-to issues there is another patch complementary to this i will send. On Fri, Nov 14, 2014 at 11:34 AM, Ilya Bakulin wrote: > Hi all, > > actually with _my_ checksumming patch the rdr-to is broken completely :-( > So I'm waiting for Ermal to send an updated version of his patch that may > really solve the problem! > > > On 2014-11-14 09:17, Ermal Lu=C3=A7i wrote: > >> Yes confirmed it will solve that issue as well. >> >> On Thu, Nov 13, 2014 at 9:30 PM, J David wrote= : >> >> On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin wrote: >>> > Of course it was interesting what does the upstream PF do (@ OpenBSD)= . >>> Seems >>> > they have made the decision to >>> > leave the task of recalculating the checksums for outgoing packets to >>> > ip[6]_output, because currently >>> > the code there overwrites the checksum anyway. >>> > This seems a correct way to me. pf should not longer do any checksum >>> updates >>> > in inbound and outbound path. >>> >>> Is there any chance this change would help with bug 179392 as well? >>> >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D179392 >>> >>> Or is that a separate issue? >>> >>> Thanks! >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> > --=20 Ermal --001a113817fcc0512c0507d054a5 Content-Type: application/octet-stream; name="pf_ipv6_checksum.patch" Content-Disposition: attachment; filename="pf_ipv6_checksum.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_i2hhqx000 ZGlmZiAtLWdpdCBhL3N5cy9uZXRwZmlsL3BmL3BmX2lvY3RsLmMgYi9zeXMvbmV0cGZpbC9wZi9w Zl9pb2N0bC5jCmluZGV4IGRiYTU2NzQuLmNhN2Y4NTEgMTAwNjQ0Ci0tLSBhL3N5cy9uZXRwZmls L3BmL3BmX2lvY3RsLmMKKysrIGIvc3lzL25ldHBmaWwvcGYvcGZfaW9jdGwuYwpAQCAtNzYsNiAr NzYsNyBAQCBfX0ZCU0RJRCgiJEZyZWVCU0QkIik7CiAjaW5jbHVkZSA8bmV0aW5ldC9pbi5oPgog I2luY2x1ZGUgPG5ldGluZXQvaXAuaD4KICNpbmNsdWRlIDxuZXRpbmV0L2lwX3Zhci5oPgorI2lu Y2x1ZGUgPG5ldGluZXQ2L2lwNl92YXIuaD4KICNpbmNsdWRlIDxuZXRpbmV0L2lwX2ljbXAuaD4K IAogI2lmZGVmIElORVQ2CkBAIC0zNjE5LDEyICszNjIwLDkgQEAgcGZfY2hlY2s2X291dCh2b2lk ICphcmcsIHN0cnVjdCBtYnVmICoqbSwgc3RydWN0IGlmbmV0ICppZnAsIGludCBkaXIsCiAJaW50 IGNoazsKIAogCS8qIFdlIG5lZWQgYSBwcm9wZXIgQ1NVTSBiZWZvcmUgd2Ugc3RhcnQgKHMuIE9w ZW5CU0QgaXBfb3V0cHV0KSAqLwotCWlmICgoKm0pLT5tX3BrdGhkci5jc3VtX2ZsYWdzICYgQ1NV TV9ERUxBWV9EQVRBKSB7Ci0jaWZkZWYgSU5FVAotCQkvKiBYWFgtQlogY29weSZwYXN0ZSBlcnJv ciBmcm9tIHIxMjYyNjE/ICovCi0JCWluX2RlbGF5ZWRfY2tzdW0oKm0pOwotI2VuZGlmCi0JCSgq bSktPm1fcGt0aGRyLmNzdW1fZmxhZ3MgJj0gfkNTVU1fREVMQVlfREFUQTsKKwlpZiAoKCptKS0+ bV9wa3RoZHIuY3N1bV9mbGFncyAmIENTVU1fREVMQVlfREFUQV9JUFY2KSB7CisJCWluNl9kZWxh eWVkX2Nrc3VtKCptLCAoKm0pLT5tX3BrdGhkci5sZW4gLSBzaXplb2Yoc3RydWN0IGlwNl9oZHIp LCBzaXplb2Yoc3RydWN0IGlwNl9oZHIpKTsKKwkJKCptKS0+bV9wa3RoZHIuY3N1bV9mbGFncyAm PSB+Q1NVTV9ERUxBWV9EQVRBX0lQVjY7CiAJfQogCUNVUlZORVRfU0VUKGlmcC0+aWZfdm5ldCk7 CiAJY2hrID0gcGZfdGVzdDYoUEZfT1VULCBpZnAsIG0sIGlucCk7Cg== --001a113817fcc0512c0507d054a5-- From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 12:34:34 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0C6E7EAB; Fri, 14 Nov 2014 12:34:34 +0000 (UTC) Received: from olymp.kibab.com (olymp.kibab.com [5.9.14.202]) by mx1.freebsd.org (Postfix) with ESMTP id 5BE83EFD; Fri, 14 Nov 2014 12:34:32 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 olymp.kibab.com 3743A75918 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bakulin.de; s=default; t=1415968470; bh=07v+EQ6VSe0WWql2imxQcrebpY21wPv/AqBSYQZikXU=; h=In-Reply-To:References:Subject:From:Date:To:CC; b=bx9zwWEQ1iyauD09xBLVU4mPAEUkrNDUKir+HMErpjP4JLEmmA7il4pb4NMjIX+5U jwZXmNQ/tmeqQRFEm7Dz8+Kiy99l23IkDzNQgvNsO6OtbRO9wR055nu7P9me4U+WHu uc47QURrHWXXpB3mNSpe7jI38N9xNEyIZUrCuMzc= In-Reply-To: References: <9734b7d34828a102d9a2f5061c11ae3d@mail.bakulin.de> MIME-Version: 1.0 Subject: Re: Checksumming outgoing packets in PF vs in ip[6]_output From: Ilya Bakulin Date: Fri, 14 Nov 2014 13:34:29 +0100 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Message-ID: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Freebsd hackers list , freebsd-pf@freebsd.org, freebsd-net , owner-freebsd-net@freebsd.org, ermal.luci@gmail.com X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 12:34:34 -0000 Hi Ermal, yes, this patch works for both #179392 and #172648. What do you need to merge this into -CURRENT and MFC to stable/9? On 2014-11-14 12:57, Ermal Luçi wrote: > Here is a direct patch. > Give it a try. > > For the reply-to issues there is another patch complementary to this i > will send. > > On Fri, Nov 14, 2014 at 11:34 AM, Ilya Bakulin > wrote: > >> Hi all, >> >> actually with _my_ checksumming patch the rdr-to is broken >> completely :-( >> So I'm waiting for Ermal to send an updated version of his patch >> that may really solve the problem! >> >> On 2014-11-14 09:17, Ermal Luçi wrote: >> Yes confirmed it will solve that issue as well. >> >> On Thu, Nov 13, 2014 at 9:30 PM, J David >> wrote: >> >> On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin >> wrote: >>> Of course it was interesting what does the upstream PF do (@ >> OpenBSD). >> Seems >>> they have made the decision to >>> leave the task of recalculating the checksums for outgoing >> packets to >>> ip[6]_output, because currently >>> the code there overwrites the checksum anyway. >>> This seems a correct way to me. pf should not longer do any >> checksum >> updates >>> in inbound and outbound path. >> >> Is there any chance this change would help with bug 179392 as well? >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 [1] >> >> Or is that a separate issue? >> >> Thanks! >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net [2] >> To unsubscribe, send any mail to >> "freebsd-net-unsubscribe@freebsd.org" > > -- > > Ermal > > Links: > ------ > [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 > [2] http://lists.freebsd.org/mailman/listinfo/freebsd-net -- Sent from my Android device with K-9 Mail. Please excuse my brevity. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 13:08:35 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 91B3B70E; Fri, 14 Nov 2014 13:08:35 +0000 (UTC) Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 58C85243; Fri, 14 Nov 2014 13:08:35 +0000 (UTC) Received: by mail-pa0-f47.google.com with SMTP id kx10so17530494pab.34 for ; Fri, 14 Nov 2014 05:08:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=k91e6+X4iCJo8otmRKo8iS0pLtFK6YhROZ6Rlf3HI98=; b=nM0e38ZwQkwXNODNyGE6/RbEA0SilHtfzn4RDjwrm7T4Uqe2XWxDBynCucl/WBC29o J7LPVvHuTMl4cFdYy/ds4PFbUnl8DIjmGT/Xv2hyQaTb8XbYQdie0prnXEp05Al4JssP w8YBsptGtr10JQ0QnpJKi2/IcfAuU4JyqVHgjdsOSYChlwOOwSVfaIbb3bDjSPeN+Tjx B5LuHe3bnNW7Wnmmk9Jt6QD9EOxV/YP4ka0OpnRNaE0SLeiVmA3+E9OMxBXE5pQ3SHh1 pRKwNi4EzGZ/fcahqMjgxekyCmmlB5X+RCt2oiFkZ9Qq/DpMpP2I9Sl2XMo4QeWA/xpY SSHg== MIME-Version: 1.0 X-Received: by 10.70.131.199 with SMTP id oo7mr10079581pdb.138.1415970513950; Fri, 14 Nov 2014 05:08:33 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Fri, 14 Nov 2014 05:08:33 -0800 (PST) In-Reply-To: References: <9734b7d34828a102d9a2f5061c11ae3d@mail.bakulin.de> Date: Fri, 14 Nov 2014 14:08:33 +0100 X-Google-Sender-Auth: vE7hR9KrsnB7cD3PU_p5tm3KvRU Message-ID: Subject: Re: Checksumming outgoing packets in PF vs in ip[6]_output From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Ilya Bakulin Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Freebsd hackers list , freebsd-net , owner-freebsd-net@freebsd.org, "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 13:08:35 -0000 Hello Ilya, just approval from some people. I will follow-up. On Fri, Nov 14, 2014 at 1:34 PM, Ilya Bakulin wrote: > Hi Ermal, > yes, this patch works for both #179392 and #172648. > > What do you need to merge this into -CURRENT and MFC to stable/9? > > > On 2014-11-14 12:57, Ermal Lu=C3=A7i wrote: > > Here is a direct patch. > > Give it a try. > > > > For the reply-to issues there is another patch complementary to this i > > will send. > > > > On Fri, Nov 14, 2014 at 11:34 AM, Ilya Bakulin > > wrote: > > > >> Hi all, > >> > >> actually with _my_ checksumming patch the rdr-to is broken > >> completely :-( > >> So I'm waiting for Ermal to send an updated version of his patch > >> that may really solve the problem! > >> > >> On 2014-11-14 09:17, Ermal Lu=C3=A7i wrote: > >> Yes confirmed it will solve that issue as well. > >> > >> On Thu, Nov 13, 2014 at 9:30 PM, J David > >> wrote: > >> > >> On Wed, Nov 5, 2014 at 9:28 AM, Ilya Bakulin > >> wrote: > >>> Of course it was interesting what does the upstream PF do (@ > >> OpenBSD). > >> Seems > >>> they have made the decision to > >>> leave the task of recalculating the checksums for outgoing > >> packets to > >>> ip[6]_output, because currently > >>> the code there overwrites the checksum anyway. > >>> This seems a correct way to me. pf should not longer do any > >> checksum > >> updates > >>> in inbound and outbound path. > >> > >> Is there any chance this change would help with bug 179392 as well? > >> > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D179392 [1] > >> > >> Or is that a separate issue? > >> > >> Thanks! > >> _______________________________________________ > >> freebsd-net@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-net [2] > >> To unsubscribe, send any mail to > >> "freebsd-net-unsubscribe@freebsd.org" > > > > -- > > > > Ermal > > > > Links: > > ------ > > [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D179392 > > [2] http://lists.freebsd.org/mailman/listinfo/freebsd-net > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 19:31:57 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62CB58E6 for ; Fri, 14 Nov 2014 19:31:57 +0000 (UTC) Received: from nskntmtas02p.mx.bigpond.com (nskntmtas02p.mx.bigpond.com [61.9.168.140]) by mx1.freebsd.org (Postfix) with ESMTP id F2730781 for ; Fri, 14 Nov 2014 19:31:56 +0000 (UTC) Received: from nskntcmgw08p ([61.9.169.168]) by nskntmtas02p.mx.bigpond.com with ESMTP id <20141114193148.WTQF2564.nskntmtas02p.mx.bigpond.com@nskntcmgw08p> for ; Fri, 14 Nov 2014 19:31:48 +0000 Received: from aneurin.horsfall.org ([120.146.8.15]) by nskntcmgw08p with BigPond Outbound id FXXo1p0070KTh7401XXokt; Fri, 14 Nov 2014 19:31:48 +0000 X-Authority-Analysis: v=2.0 cv=D6DF24tj c=1 sm=1 a=4q38a75ucWZEoAuqF1Taiw==:17 a=IPki1kwjZaUA:10 a=wPDyFdB5xvgA:10 a=kj9zAlcOel0A:10 a=jl1WCCbAAAAA:8 a=KBZQRfpGIerDDnnwjkcA:9 a=CjuIK1q_8ugA:10 a=oRGrlLRogwYA:10 a=EMvNslRywjgA:10 a=4q38a75ucWZEoAuqF1Taiw==:117 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.9/8.14.9) with ESMTP id sAEJVkEk010826 for ; Sat, 15 Nov 2014 06:31:47 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.9/8.14.9/Submit) with ESMTP id sAEJVk1k010823 for ; Sat, 15 Nov 2014 06:31:46 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sat, 15 Nov 2014 06:31:46 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: /etc/periodic/security/520.pfdenied Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 19:31:57 -0000 Not quite sure if this belongs here or elsewhere; it is PF-related, after all, so please refer me somewhere else if necessary. What is the actual intent of this script? It seems to be showing every rule that *could* have triggered, regardless of whether it *did* trigger. I'm happy to submit a patch if necessary, but I'll need to know what the script is supposed to be doing. (Yes, it's a basic firewall, but it's protected by a more vicious one upstream; PF merely fine-tunes what gets through to the exposed server.) ----- aneurin.horsfall.org pf denied packets: +++ /tmp/security.8uFzJ1HL 2014-11-15 03:09:11.000000000 +1100 +block drop all [ Evaluations: 27332 Packets: 10696 Bytes: 471264 States: 0 ] +block drop in log quick on fxp0 from to any [ Evaluations: 22598 Packets: 0 Bytes: 0 States: 0 ] +block drop in log quick on fxp0 from to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ] +block drop in log quick on ! fxp0 inet from 10.0.0.0/8 to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ] +block drop in log quick inet from 10.0.0.3 to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ] +block drop in log quick from no-route to any [ Evaluations: 22583 Packets: 0 Bytes: 0 States: 0 ] +block drop in quick on fxp0 inet from any to 255.255.255.255 [ Evaluations: 22583 Packets: 7 Bytes: 2296 States: 0 ] +block drop in log quick inet from any to 0.0.0.0 [ Evaluations: 22576 Packets: 0 Bytes: 0 States: 0 ] +block drop in log quick inet from 224.0.0.0/4 to any [ Evaluations: 22576 Packets: 0 Bytes: 0 States: 0 ] +block drop in log quick inet from 255.255.255.255 to any [ Evaluations: 22576 Packets: 0 Bytes: 0 States: 0 ] +block drop in quick on fxp0 inet from any to 224.0.0.1 [ Evaluations: 22576 Packets: 11246 Bytes: 489992 States: 0 ] ----- Thanks. -- Dave Horsfall DTM (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 19:44:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A242127 for ; Fri, 14 Nov 2014 19:44:50 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 521048EF for ; Fri, 14 Nov 2014 19:44:50 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAEJioNS049518 for ; Fri, 14 Nov 2014 19:44:50 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 179392] [pf] [ip6] Incorrect TCP checksums in rdr return packets Date: Fri, 14 Nov 2014 19:44:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: glebius@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eri@freebsd.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 19:44:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=179392 Gleb Smirnoff changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glebius@FreeBSD.org Assignee|freebsd-pf@FreeBSD.org |eri@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 14 19:45:20 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 552D2307 for ; Fri, 14 Nov 2014 19:45:20 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3CD33900 for ; Fri, 14 Nov 2014 19:45:20 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAEJjKef050085 for ; Fri, 14 Nov 2014 19:45:20 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 172648] [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK Date: Fri, 14 Nov 2014 19:45:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.1-PRERELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: glebius@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: eri@freebsd.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2014 19:45:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172648 Gleb Smirnoff changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glebius@FreeBSD.org Assignee|freebsd-pf@FreeBSD.org |eri@freebsd.org -- You are receiving this mail because: You are the assignee for the bug.