Date: Mon, 4 Jun 2007 16:44:30 -0300 From: Hugo Koji Kobayashi <koji@registro.br> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation Message-ID: <20070604194430.GD21681@registro.br> In-Reply-To: <200706021704.53787.max@love2party.net> References: <20070528224225.GC40678@registro.br> <200705301002.04911.max@love2party.net> <20070531134923.GH39552@registro.br> <200706021704.53787.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--yEPQxsgoJgBvi8ip Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Hi Max, pf is running on the DNS client machine. The DNS server is on a completely different network (I don't control this server). The client can send the udp request with no problem (it's a small udp datagram; less than 512 bytes), the server sends the udp response fragmented, but the client can't receive it. Please, find attached a new test with the requested information. Regards, Hugo On Sat, Jun 02, 2007 at 05:04:52PM +0200, Max Laier wrote: > Hi Hugo, > > On Thursday 31 May 2007, Hugo Koji Kobayashi wrote: > > Please find attached the tests results after enabling extended > > logging. > > > > I've done the test twice, changing dig's "+bufsize" parameter. > > looking at your log file, it seems that the packet traverses pf alright: > > > ---- Console begin > > pf_normalize_ip: reass frag 11881 @ 0-1480 > > pf_normalize_ip: reass frag 11881 @ 1480-2960 > > pf_normalize_ip: reass frag 11881 @ 2960-4094 > > pf_reassemble: 4094 < 4094? > > pf_reassemble: complete: 0xc4338000(4114) > > ---- Console end > > > > fbsd7# date ; pfctl -si > > Tue May 8 04:15:24 BRT 2007 > > No ALTQ support in kernel > > ALTQ related functions disabled > > Status: Enabled for 0 days 00:05:27 Debug: Misc > > > > Hostid: 0xfd3ea603 > > > > State Table Total Rate > > current entries 3 > > searches 405 1.2/s > > inserts 40 0.1/s > > removals 37 0.1/s > > Counters > > match 40 0.1/s > > bad-offset 0 0.0/s > > fragment 0 0.0/s > > short 0 0.0/s > > normalize 0 0.0/s > > memory 0 0.0/s > > bad-timestamp 0 0.0/s > > congestion 0 0.0/s > > ip-option 0 0.0/s > > proto-cksum 0 0.0/s > > state-mismatch 0 0.0/s > > state-insert 0 0.0/s > > state-limit 0 0.0/s > > src-limit 0 0.0/s > > synproxy 0 0.0/s > > So the culprit should be somewhere up the stack. i.e. FreeBSD chokes on > the already reassembled packet. Could you also provide netstat -ssp udp > and netstat -ssp ip from before and after your test to get an idea where > the packet is lost? To make sure I understand your setup correctly: pf > is running on the DNS server i.e. the destination address of the datagram > is a local address? > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News --yEPQxsgoJgBvi8ip Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf-edns0-tests-2.txt" fbsd7# date ; pfctl -si Tue May 8 07:59:57 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:01 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 975 0.6/s inserts 42 0.0/s removals 37 0.0/s Counters match 42 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date ; pfctl -xm Tue May 8 08:00:00 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled debug level set to 'misc' fbsd7# date ; pfctl -si Tue May 8 08:00:03 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:07 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 989 0.7/s inserts 42 0.0/s removals 37 0.0/s Counters match 42 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date; netstat -ssp udp Tue May 8 08:00:06 BRT 2007 udp: 36 datagrams received 2 with bad checksum 34 delivered 40 datagrams output fbsd7# date; netstat -ssp ip Tue May 8 08:00:09 BRT 2007 ip: 521 total packets received 514 packets for this host 489 packets sent from this host fbsd7# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached ---- Console begin pf_normalize_ip: reass frag 43470 @ 0-1480 pf_normalize_ip: reass frag 43470 @ 1480-2960 pf_normalize_ip: reass frag 43470 @ 2960-4094 pf_reassemble: 4096 < 4096? pf_reassemble: complete: 0x433bb00(4116) ---- Console end fbsd7# date; netstat -ssp udp Tue May 8 08:00:19 BRT 2007 udp: 36 datagrams received 3 with bad checksum 33 delivered 41 datagrams output fbsd7# date; netstat -ssp ip Tue May 8 08:00:24 BRT 2007 ip: 533 total packets received 523 packets for this host 501 packets sent from this host fbsd7# date ; pfctl -si Tue May 8 08:00:27 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:31 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 1031 0.7/s inserts 43 0.0/s removals 38 0.0/s Counters match 43 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s --yEPQxsgoJgBvi8ip--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070604194430.GD21681>