Date: Wed, 11 Feb 2015 04:33:15 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Andre Albsmeier <andre@fbsd.ata.myota.org> Cc: Freddie Cash <fjwcash@gmail.com>, Lev Serebryakov <lev@freebsd.org>, Matthew Seaman <m.seaman@infracaninophile.co.uk>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: Problems with IP fragments Message-ID: <20150211035919.B38620@sola.nimnet.asn.au> In-Reply-To: <20150210132652.GA3398@schlappy> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org> <CAOjFWZ4KVyYe65ggiHxy3SSw7MPMgx-0kD5ccfXOM%2BftwncP1A@mail.gmail.com> <20150209212131.GA32613@schlappy> <54D9E233.1010702@FreeBSD.org> <20150210132652.GA3398@schlappy>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Feb 2015 14:26:52 +0100, Andre Albsmeier wrote: > On Tue, 10-Feb-2015 at 13:49:23 +0300, Lev Serebryakov wrote: > > On 10.02.2015 00:21, Andre Albsmeier wrote: > > > > > The ipfw man page says: > > > > > > Usually a simple rule like: > > > > > > # reassemble incoming fragments ipfw add reass all from any to any > > > in > > > > > > is all you need at the beginning of your ruleset. > > > > > > However, I could never make this work. It eats all fragments but > > > the resulting final packet never makes it. I am back to > > > > > > ipfw -q add 1 pass udp from any to $myip frag in recv $ifc This has worked fine for me for spamhaus.org DNS packets - often with 2 or 3 frags - for years before reass came along. > > > as I need it only for UDP. Frag reassembly in pf works well on the > > > other hand... > > reass works for me, but kills all IPv6 packets, so it should be "reass > > ip4 from any to any in [recv $iface]" Some enterprising young developer could add code to catch with a warning attempts to send ip6 to reass (as yet, anyway) and also to divert (natd) sockets for sure, maybe kernel nat too?, netgraph?, tee? or any others that can't (as yet) deal with ip6? Otherwise it relies on thickening ipfw(8) with don't-do-thats and/or relying on folklore (such as this :) passed down through the lists .. > Hmm, I tried again with ipv4 but this doesn't help (I don't use v6 > anyway here). But it seems to work as soon as I switch off layer2 > filtering. Normally I use net.link.ether.ipfw=1 (and, yes, I have > the appropriate arp rules installed). As soon as I switch this to > off, reassembly works. However, I have no idea why the reass code > messes around with layer2... Perhaps you asked it to? :) reass is clearly only useful for ip layer3, so did you have rules such as those examples in ipfw(8) /PACKET FLOW to distinguish layer2 from layer3 processing paths? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150211035919.B38620>