Date: Tue, 10 Feb 2015 19:34:20 +0100 From: Andre Albsmeier <andre@fbsd.ata.myota.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: Andre Albsmeier <andre@fbsd.ata.myota.org>, Freddie Cash <fjwcash@gmail.com>, Lev Serebryakov <lev@freebsd.org>, Matthew Seaman <m.seaman@infracaninophile.co.uk>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: Problems with IP fragments Message-ID: <20150210183420.GA12325@schlappy> In-Reply-To: <20150211035919.B38620@sola.nimnet.asn.au> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org> <CAOjFWZ4KVyYe65ggiHxy3SSw7MPMgx-0kD5ccfXOM%2BftwncP1A@mail.gmail.com> <20150209212131.GA32613@schlappy> <54D9E233.1010702@FreeBSD.org> <20150210132652.GA3398@schlappy> <20150211035919.B38620@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11-Feb-2015 at 04:33:15 +1100, Ian Smith wrote: > On Tue, 10 Feb 2015 14:26:52 +0100, Andre Albsmeier wrote: > > On Tue, 10-Feb-2015 at 13:49:23 +0300, Lev Serebryakov wrote: > > > On 10.02.2015 00:21, Andre Albsmeier wrote: > > > > > > > The ipfw man page says: > > > > > > > > Usually a simple rule like: > > > > > > > > # reassemble incoming fragments ipfw add reass all from any to any > > > > in > > > > > > > > is all you need at the beginning of your ruleset. > > > > > > > > However, I could never make this work. It eats all fragments but > > > > the resulting final packet never makes it. I am back to > > > > > > > > ipfw -q add 1 pass udp from any to $myip frag in recv $ifc > > This has worked fine for me for spamhaus.org DNS packets - often with 2 > or 3 frags - for years before reass came along. Yes, it works here as well. > > > > > as I need it only for UDP. Frag reassembly in pf works well on the > > > > other hand... > > ... > > > Hmm, I tried again with ipv4 but this doesn't help (I don't use v6 > > anyway here). But it seems to work as soon as I switch off layer2 > > filtering. Normally I use net.link.ether.ipfw=1 (and, yes, I have > > the appropriate arp rules installed). As soon as I switch this to > > off, reassembly works. However, I have no idea why the reass code > > messes around with layer2... > > Perhaps you asked it to? :) reass is clearly only useful for ip layer3, > so did you have rules such as those examples in ipfw(8) /PACKET FLOW to > distinguish layer2 from layer3 processing paths? Well, I thought so ;-) But after reading this part again, it might be that I explicitly have to enable passing of ip(v4) packets in layer2 (so they can be processed in ip_input() later on). Currently I have these rules (with 10.0.0.217 being my IP): # loopback 00100 allow ip from any to any via lo0 # arp traffic 00200 allow ip from any to any layer2 mac-type 0x0806 # dynamic rules for return stuff 00300 check-state # reassemble 00400 reass ip4 from any to any in # let all out and create state 00500 allow ip4 from 10.0.0.217 to any out keep-state # log remaining layer2 stuff 00600 deny log ip from any to any layer2 # log remaining ip stuff 00700 deny log ip from any to any # default deny rule 65535 deny ip from any to any These work for all of my ssh/http/... and (udp based) openvpn stuff as well as DNS (but not things like dig +dnssec www.freebsd.org @72.52.71.1). Now when I add a rule 00350 allow ip4 from any to any layer2 the above dig command works. But why is this needed just for the fragments and not for the "normal" v4 packets coming back from traffic which passwd through 500 (including all state processing)? And if the fragments are really getting stopped at ether_demux(), why don't they get logged with rule 600? OK, these questions may sound dumb but I am far from an experienced ipfw user as I use pf on all other machines ;-). -Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150210183420.GA12325>