From owner-freebsd-net Mon Jan 29 1: 0:15 2001 Delivered-To: freebsd-net@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 5F39A37B6E3; Mon, 29 Jan 2001 00:59:52 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.0/8.11.0) id f0T8xQu33835; Mon, 29 Jan 2001 10:59:26 +0200 (EET) (envelope-from ru) Date: Mon, 29 Jan 2001 10:59:26 +0200 From: Ruslan Ermilov To: Alwyn Goodloe Cc: net@FreeBSD.ORG, Archie Cobbs Subject: Re: ipfw message Message-ID: <20010129105926.B27558@sunbay.com> Mail-Followup-To: Alwyn Goodloe , net@FreeBSD.ORG, Archie Cobbs References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from agoodloe@gradient.cis.upenn.edu on Sat, Jan 27, 2001 at 10:45:26PM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Redirected to -net] On Sat, Jan 27, 2001 at 10:45:26PM -0500, Alwyn Goodloe wrote: > > This is my last fragmentation question I swear :-) > > When diverting udp packets which are larger than MTU(1500) ipfw seems to > divert the first and reject the second. > Here is tcpdump of the packets: > > > 23:41:05.670408 192.168.1.3.1128 > 192.168.5.12.3322: udp 1474 (frag 4127:1480@ > 0+) > 23:41:05.670420 192.168.1.3 > 192.168.5.12: (frag 4127:2@1480) > > Below is the log from ipfw. > > Jan 26 23:40:56 richmond /kernel: ipfw: 60000 Divert 4422 UDP 192.168.1.3:1128 192.168.5.12:3322 in via xl0 > Jan 26 23:40:56 richmond /kernel: ipfw: -1 Refuse UDP 192.168.1.3 192.168.5.12 in via xl0 Fragment = 185 > > > > Now i know that ipfw will drop tcp packets of length 1 is something like that > what's going on here? > > Well if anyone can let me in on the meaning of the rejection message it > would be helpful. > Does the problem you experience has something similar with the below? I think I have found a bug here. When the ``divert foo ... udp ...'' rule has no destination port specification, everything works as documented, i.e. all fragments are reassembled and get diverted to the divert(4) to port ``foo''. If I add the destination port specification, only the first (offset zero) fragment gets diverted: 1) ``open'' type firewall with ``divert'' rules without port spec: 00002 divert 2345 log udp from 194.220.45.65 to 194.220.45.115 00002 deny log ip from any to any frag 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any Jan 29 10:51:28 perl /kernel: ipfw: 2 Divert 2345 UDP 194.220.45.65:2212 194.220.45.115:2222 in via rl0 Jan 29 10:51:28 perl /kernel: ipfw: 2 Divert 2345 UDP 194.220.45.65 194.220.45.115 in via rl0 Fragment = 185 2) the same as above except with port spec: 00002 divert 2345 log udp from 194.220.45.65 to 194.220.45.115 2222 00002 deny log ip from any to any frag 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any Jan 29 10:53:08 perl /kernel: ipfw: 2 Divert 2345 UDP 194.220.45.65:2303 194.220.45.115:2222 in via rl0 Jan 29 10:53:08 perl /kernel: ipfw: 2 Deny UDP 194.220.45.65 194.220.45.115 in via rl0 Fragment = 185 -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message