From owner-freebsd-pf@FreeBSD.ORG Fri Jun 12 17:24:37 2015 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8FCA8F1; Fri, 12 Jun 2015 17:24:37 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D1F8C78; Fri, 12 Jun 2015 17:24:37 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by ykdx132 with SMTP id x132so3887873ykd.2; Fri, 12 Jun 2015 10:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=czfeMivhIrE866+i04P7XL51/WXS0ZRutmTs6EUIwHs=; b=NnsluFbN+nwUCjyV9h5P5zY9CSyjWvR2BGoOyA3NgYFsDWmJmblybToVSWk+hCkV5z gLdIgqP8xC6iO80kz2W6mSMkfhZ8oywxQtPdNcnoD/jkGoCdg10yx28lIpTrDMPXysIU vf0SW+sm2zoOIfewf3WXTU8J5gbVENs6BY+ZawrToOcTmtlPdJlQfhU+xYgWW4LdxZ5m DllZPku9Y31RvZaj7jT0IHkvwj9eZpNgHuBP5mQuonlVcQk4mEA1NLFpuKtme7pNf2uE iEcr3578NnREt8yixb7H0Tj4dQr3T5nnaUCT5+zZwkRro49PrOEnusD80yDz/132j1J7 hVUw== MIME-Version: 1.0 X-Received: by 10.129.82.14 with SMTP id g14mr20352232ywb.9.1434129876032; Fri, 12 Jun 2015 10:24:36 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.129.123.137 with HTTP; Fri, 12 Jun 2015 10:24:35 -0700 (PDT) In-Reply-To: <20150612154350.GA3135@vega.codepro.be> References: <20150612154350.GA3135@vega.codepro.be> Date: Fri, 12 Jun 2015 13:24:35 -0400 X-Google-Sender-Auth: mE_nDyXSMQQapTkcToQlweL1Wd4 Message-ID: Subject: Re: RFC: Dropping support for scrub fragment crop/drop-ovl From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Kristof Provost Cc: freebsd-net , "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 17:24:37 -0000 On Fri, Jun 12, 2015 at 11:43 AM, Kristof Provost wrote: > Hi all, > > I've recently been looking at bug 200330. I broke things while adding > the reassembly support for ipv6 to pf. > > Those issues should be fixed now, but having looked at the fragment > crop/drop-ovl code, I'm starting to think support for those options > should just be removed. > Just go ahead an do that. > > For context: in FreeBSD's pf scrub rules can specify different ways to > handle fragments. These are 'reassemble', 'crop' and 'drop-ovl'. > > 'reassemble' is the default, and does full reassembly before filtering > the packet. > > 'crop' and 'drop-ovl' do not reassemble. The man page explains it better > than I can: > > > fragment crop > > The default fragment reassembly method is expensive, hence the > option > > to crop is provided. In this case, pf(4) will track the fragments > > and cache a small range descriptor. Duplicate fragments are > dropped > > and overlaps are cropped. Thus data will only occur once on the > wire > > with ambiguities resolving to the first occurrence. Unlike the > > fragment reassemble modifier, fragments are not buffered, they are > > passed as soon as they are received. The fragment crop reassembly > > mechanism does not yet work with NAT. > > > > fragment drop-ovl > > This option is similar to the fragment crop modifier except that > all > > overlapping or duplicate fragments will be dropped, and all further > > corresponding fragments will be dropped as well. > > Basically, these options don't reassemble. That also implies that you > get the choice between having your firewall drop fragmented packets, or > allowing potentially unwanted packets through because they're > fragmented. > > That's not explicitly mentioned in the man page and I suspect many > users don't realise this and are thus led to make choices with > unintended consequences. > > All of this applies only to IPv4. I never implemented support for > crop/drop-ovl in the IPv6 reassembly code. On IPv4 any scrub is > 'fragment reassembly'. > The OpenBSD people removed crop/drop-ovl back in 2009. > > Removing crop/drop-ovl would also remove around 450 lines of fairly > hairy pf code. > > We'd just default to fragment reassemble, even if crop or drop-ovl is > specified. That'd mean a behaviour change, but it'll likely actually > make many firewall configurations behave better rather than break > things. > > In summary, unless someone comes forward to say they're using crop or > drop-ovl support from them is going to go away. > > Regards, > Kristof > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal