From owner-freebsd-bugs@FreeBSD.ORG Sun Feb 26 03:20:05 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BAF516A420 for ; Sun, 26 Feb 2006 03:20:05 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC71343D48 for ; Sun, 26 Feb 2006 03:20:04 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1Q3K446035877 for ; Sun, 26 Feb 2006 03:20:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1Q3K4pt035876; Sun, 26 Feb 2006 03:20:04 GMT (envelope-from gnats) Resent-Date: Sun, 26 Feb 2006 03:20:04 GMT Resent-Message-Id: <200602260320.k1Q3K4pt035876@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Adam McDougall Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34E8B16A420 for ; Sun, 26 Feb 2006 03:18:03 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9D7643D45 for ; Sun, 26 Feb 2006 03:18:02 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k1Q3I2di007834 for ; Sun, 26 Feb 2006 03:18:02 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k1Q3I2LB007833; Sun, 26 Feb 2006 03:18:02 GMT (envelope-from nobody) Message-Id: <200602260318.k1Q3I2LB007833@www.freebsd.org> Date: Sun, 26 Feb 2006 03:18:02 GMT From: Adam McDougall To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/93849: pf no-df breaks IP checksum of all tcp traffic through if_bridge X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 03:20:05 -0000 >Number: 93849 >Category: kern >Synopsis: pf no-df breaks IP checksum of all tcp traffic through if_bridge >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 26 03:20:04 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Adam McDougall >Release: FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006 >Organization: >Environment: FreeBSD fw1 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006 user@fw1:/usr/obj/usr/src/sys/TYAN_GS12 i386 >Description: I have setup if_bridge and pf on a server with dual em interfaces running FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006. rc.conf relevant items: (The IP's are just for temporary management from either side of the firewall as needed) ifconfig_em0="inet 10.0.0.80 netmask 0xffffff00" ifconfig_em0_alias0="inet 35.9.44.100 netmask 0xffffff00" ifconfig_em1="inet 10.0.1.80 netmask 0xffffff00" cloned_interfaces="bridge0" ifconfig_bridge0="addm em0 addm em1 up" I have narrowed my ruleset down to a simple config for testing: ext_if="em0" int_if="em1" scrub in on $ext_if no-df pass in all pass out all pass quick on lo0 # pfctl -Rf /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled # pfctl -sr No ALTQ support in kernel ALTQ related functions disabled scrub in on em0 all no-df fragment reassemble pass in all pass out all pass quick on lo0 all Whenever I have no-df in the scrub line, the bridging firewall still passes my ssh SYN packet to the host behind the firewall, but the receiving host discards it due to a bad IP checksum (I believe). Using tcpdump on em0 and em1 on the firewall, I see the packet come in with DF set, and leave with DF unset however the IP checksum is reported bad on the em1 side according to ethereal. I verified that the IP checksum was unmodified between em0 and em1. I also tried ifconfig -rxcsum -txcsum on both nics but no improvement in behavior. Running tcpdump on the receiving host shows the SYN packet, but trying to use -w to save it to a file results in no packets captured. All systems involved are FreeBSD so far, and the symptoms persist going both directions across the bridge. ping still works. I am trying to get no-df to work because documentation indicates it is needed to pass NFS which will be a requirement for me. I didn't get very far with attempting to exclude just NFS traffic from being scrubbed, but it seems to be that a firewall munging packets ought to produce ones with valid checksums. Please let me know if I need to provide more information or what else I can do to debug this further. >How-To-Repeat: Setup an if_bridge between two interfaces on freebsd, add a scrub no-df rule in pf, witness resulting tcp packets get dropped by the receiving host kernel. >Fix: >Release-Note: >Audit-Trail: >Unformatted: