From owner-freebsd-net@FreeBSD.ORG Tue Feb 10 13:27:33 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C0DC3D9C; Tue, 10 Feb 2015 13:27:33 +0000 (UTC) Received: from mail.myota.org (mail.myota.org [85.10.206.105]) by mx1.freebsd.org (Postfix) with ESMTP id 30542D34; Tue, 10 Feb 2015 13:27:32 +0000 (UTC) Received: from mobile.client (184.220.166.190.f.sta.codetel.net.do [190.166.220.184] (may be forged)) (authenticated bits=128) by mail.myota.org (8.14.9/8.14.9) with ESMTP id t1ADRDAs073940; Tue, 10 Feb 2015 14:27:20 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Received: from submit.client ([127.0.0.1]) by schlappy.local (8.14.9/8.14.9) with ESMTP id t1ADQqhi006422; Tue, 10 Feb 2015 14:26:54 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Received: (from user@localhost) by schlappy.local (8.14.9/8.14.9/Submit) id t1ADQqZp006421; Tue, 10 Feb 2015 14:26:52 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Date: Tue, 10 Feb 2015 14:26:52 +0100 From: Andre Albsmeier To: Lev Serebryakov Subject: Re: Problems with IP fragments Message-ID: <20150210132652.GA3398@schlappy> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org> <20150209212131.GA32613@schlappy> <54D9E233.1010702@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54D9E233.1010702@FreeBSD.org> X-Echelon: 767, BND, assault, secure, DES X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Not delayed on 85.10.206.105, ACL: AUTH(59), Origin: DO, OS: FreeBSD 9.x or newer X-Virus-Scanned: clamav-milter 0.98.6 at colo X-Virus-Status: Clean Cc: Andre Albsmeier , Matthew Seaman , Freddie Cash , freebsd-net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 13:27:33 -0000 On Tue, 10-Feb-2015 at 13:49:23 +0300, Lev Serebryakov wrote: > On 10.02.2015 00:21, Andre Albsmeier wrote: > > > The ipfw man page says: > > > > Usually a simple rule like: > > > > # reassemble incoming fragments ipfw add reass all from any to any > > in > > > > is all you need at the beginning of your ruleset. > > > > However, I could never make this work. It eats all fragments but > > the resulting final packet never makes it. I am back to > > > > ipfw -q add 1 pass udp from any to $myip frag in recv $ifc > > > > as I need it only for UDP. Frag reassembly in pf works well on the > > other hand... > reass works for me, but kills all IPv6 packets, so it should be "reass > ip4 from any to any in [recv $iface]" Hmm, I tried again with ipv4 but this doesn't help (I don't use v6 anyway here). But it seems to work as soon as I switch off layer2 filtering. Normally I use net.link.ether.ipfw=1 (and, yes, I have the appropriate arp rules installed). As soon as I switch this to off, reassembly works. However, I have no idea why the reass code messes around with layer2... -Andre > > > -- > // Lev Serebryakov AKA Black Lion -- "FreeBSD has always been the operating system that GNU/Linux-based operating systems should have been." - Frank Pohlmann, IBM