From owner-freebsd-net@FreeBSD.ORG Tue Feb 10 08:48:20 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 01E7AEDE for ; Tue, 10 Feb 2015 08:48:20 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [IPv6:2001:4f8:3:ffe0:406a:0:50:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4AC4953 for ; Tue, 10 Feb 2015 08:48:19 +0000 (UTC) Received: from phabric-backend.isc.freebsd.org (phabric-backend.isc.freebsd.org [127.0.1.5]) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9) with ESMTP id t1A8mISl010947 for ; Tue, 10 Feb 2015 08:48:18 GMT (envelope-from root@phabric-backend.isc.freebsd.org) Received: (from root@localhost) by phabric-backend.isc.freebsd.org (8.14.9/8.14.9/Submit) id t1A8mIUb010946; Tue, 10 Feb 2015 08:48:18 GMT (envelope-from root) Date: Tue, 10 Feb 2015 08:48:18 +0000 To: freebsd-net@freebsd.org From: "kristof (Kristof Provost)" Subject: [Differential] [Commented On] D1815: Evaluate packet size after the firewall had its chance Message-ID: X-Priority: 3 Thread-Topic: D1815: Evaluate packet size after the firewall had its chance X-Herald-Rules: none X-Phabricator-To: X-Phabricator-Cc: X-Phabricator-Cc: In-Reply-To: References: Thread-Index: MjRmMGVhNTZkOThiOTc4ZWRjYjYzYzAwNzU4IFTZxdI= X-Phabricator-Sent-This-Message: Yes X-Mail-Transport-Agent: MetaMTA X-Auto-Response-Suppress: All X-Phabricator-Mail-Tags: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 08:48:20 -0000 kristof added a comment. >>! In D1815#3, @ae wrote: > Since you are in ip6_forward(), this means ip6_input() has already checked this packet and PFIL had a chance to handle this packet. > IPv6 router should not do reassembling fragmented packets and do new fragmentation of them, but if you want, I think your packet filter should track these fragments on input. The defragmentation is done on the input side. When fragmented packets arrive we queue them up inside pf (telling the network stack we dropped them) on the input side. Once we've got a complete packet we can perform the actual filtering (which has to be done on the full packet or the firewall could be bypassed by fragmenting packets). At that point we have an oversized packet which somehow has to be sent out again. As netpfil doesn't have a way to tell the network stack 'Here are a bunch of packets' the only way I can see is to call ip6_forward(). > How do you tested this patch? The actual defragmentation was tested by generating packets with scapy. The forwarding path mostly by having a VM forward packets. The patch set is also running on my (dual stack, VIMAGE enabled) gateway. REVISION DETAIL https://reviews.freebsd.org/D1815 To: kristof Cc: ae, freebsd-net