Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Apr 2006 09:03:48 -0400
From:      Adam McDougall <mcdouga9@egr.msu.edu>
To:        Max Laier <max@love2party.net>, Andrew Thompson <thompsa@freebsd.org>, freebsd-pf@freebsd.org
Subject:   Re: broken ip checksum after frag reassemble of nfs READDIR?
Message-ID:  <20060411130348.GV14961@egr.msu.edu>
In-Reply-To: <20060405130645.GB5683@insomnia.benzedrine.cx>
References:  <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote:

  On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote:
  
  > The other big problem that just crossed my mind:  Reassembly in the bridge 
  > path!?  It doesn't look like the current bridge code on either OS is ready to 
  > deal with packets > MTU coming out of the filter.  The question here is 
  > probably how much IP processing we want to do in the bridge code?
  
  OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted
  ip_fragment() so it could be called from there, and not too much code
  had to be duplicated.
  
          if ((len - ETHER_HDR_LEN) > dst_if->if_mtu)
                  bridge_fragment(sc, dst_if, &eh, m);
          else {
  		...
                  bridge_ifenqueue(sc, dst_if, m);
  		...
          }
  
    bridge_fragment()
  
          error = ip_fragment(m, ifp, ifp->if_mtu);
          if (error) {
                  m = NULL;
                  goto dropit;
          }
          
          for (; m; m = m0) {
                  m0 = m->m_nextpkt;
                  m->m_nextpkt = NULL;
  		...
  		error = bridge_ifenqueue(sc, ifp, m);
  		...
  	}
  
  That's one more layer violation in bridge, but stateful filtering
  basically requires fragment reassembly, at least in general.
  
  Daniel


Would it be possible to get bridge reassembly and even a quick and 
dirty patch to fixup the checksum on every packet into FreeBSD soon?

I have 4 firewalls to deploy this summer, the simplest and smallest one
first which would benefit from these fixes but could probably get away
without them.  For my largest one I would prefer to use fragment
reassembly to improve the accuracy of my ruleset, but I can't risk a
jumbo packet wedging my firewalls, and of course bad checksum packets
are useless.  Using pf in routing mode is undesirable for my situations.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060411130348.GV14961>