From owner-freebsd-net@FreeBSD.ORG Tue Jun 28 15:46:30 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6F7C1065673 for ; Tue, 28 Jun 2011 15:46:30 +0000 (UTC) (envelope-from d.banschikov@peterhost.ru) Received: from fb0.z8.ru (fb0.z8.ru [80.93.62.38]) by mx1.freebsd.org (Postfix) with ESMTP id 7D5368FC18 for ; Tue, 28 Jun 2011 15:46:30 +0000 (UTC) Received: from smtp.z8.ru ([80.93.62.30]) by fb0.z8.ru with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QbaGH-000NcZ-GK for freebsd-net@freebsd.org; Tue, 28 Jun 2011 19:31:37 +0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=peterhost.ru; s=y2011-v1; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=jmJIE7M2ml6MTyX05mbhRwVoLAlBmTB0/RI+srELwyA=; b=W661ONq7SFSTl3eyC3sL7nqxfUvR5RVbAb5EJyZmc0H/ccEOBD6x8RAxHuX3hJ1WoxvHJZQrF6NLm8xxDV6ICBjRa3b1zbRl3Nfta0dPTs+jhPnwVXBCURyLrK38Dj4QxnJofmStRBlOyyqBqt7GlYdrFwBqmv1lwWBZ666NbN0=; Received: from [212.116.101.94] (helo=[10.10.32.3]) by smtp.z8.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from ) id 1QbaGE-000ORm-QZ for freebsd-net@freebsd.org; Tue, 28 Jun 2011 19:31:34 +0400 Message-ID: <4E09F3D6.3060206@peterhost.ru> Date: Tue, 28 Jun 2011 19:31:34 +0400 From: Dmitry Banschikov User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110307 Icedove/3.0.11 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <201106281148.36754.benoit.panizzon@imp.ch> In-Reply-To: <201106281148.36754.benoit.panizzon@imp.ch> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030206000303050501000706" X-SA-Exim-Connect-IP: 212.116.101.94 X-SA-Exim-Mail-From: d.banschikov@peterhost.ru X-SA-Exim-Scanned: No (on smtp.z8.ru); SAEximRunCond expanded to false X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: udp checksum implementation error in FreeBSD 7.2? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 15:46:31 -0000 This is a cryptographically signed message in MIME format. --------------ms030206000303050501000706 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable On 28.06.2011 13:48, Benoit Panizzon wrote: > Hi > > We are running a DHCP Server on a FreeBSD 7.2-RELEASE-p4 box. > > This works for most of our customers, except ones with some kind of Son= icWall > Firewalls. We have analyzed the problem with the sonicwall tech support= : > > We found the problem being in the sonicwall setting a UDP checksum of 0= x0000 > for DHCP Requests. > > According to the RFC this is a valid value and tells the receiving UDP = stack > not to check the checksum: > > http://www.faqs.org/rfcs/rfc768.html > > If the value is different from 0x0000 the receiving UDP stack can perfo= rm a > checksum check and if this fails, silently drop that packet. > > What we observe is: > > DHCP Request with UDP checksum set =3D> Packet reaches DHCP Daemon and= is being > answered. > DHCP Request with UDP checksum 0x0000 =3D> ICMP Port Unreachable from = FreeBSD. > > Can someone confirm this non RFC conform behaviour and knows how to fix= it? > > As I understand, setting net.inet.udp.checksum to zero would not fix th= e > problem, as this is only for packet generation. DHCP (isc-dhcp) uses bpf(4) device for reading and writing dhcp packets. = Since bpf(4) device provides raw access to ether frames, udp checksum=20 calculation must take place in the dhcp server code. You could use=20 ktrace(1) if you want to make sure that a icmp packet is generated by=20 the dhcp server. Also, you have said that icmp error message is port=20 unreachable, that means, that there is no any udp socket which listens=20 on 67 port. Can you check if dhcp-server listens on 67-udp port and=20 there is no any firewall rules, which forbids udp packet to 67 port? --=20 Dmitry Banschikov --------------ms030206000303050501000706--