From owner-freebsd-pf@FreeBSD.ORG Tue Apr 11 22:56:52 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B49FC16A406 for ; Tue, 11 Apr 2006 22:56:52 +0000 (UTC) (envelope-from matthieu.michaud@epita.info) Received: from marge.cload.net (marge.cload.net [213.41.172.209]) by mx1.FreeBSD.org (Postfix) with SMTP id EABDA43D6A for ; Tue, 11 Apr 2006 22:56:47 +0000 (GMT) (envelope-from matthieu.michaud@epita.info) Received: (qmail 73620 invoked by uid 100); 12 Apr 2006 00:56:57 +0200 Received: from homer.cload.net (HELO moe) (192.168.2.1) by marge.cload.net with SMTP; 12 Apr 2006 00:56:57 +0200 From: Matthieu Michaud To: Daniel Hartmeier In-Reply-To: <20060404145704.GW2684@insomnia.benzedrine.cx> References: <20060402054532.GF17711@egr.msu.edu> <200604021734.09622.max@love2party.net> <20060404145704.GW2684@insomnia.benzedrine.cx> Content-Type: text/plain Organization: EPITA SRS 2007 - Adaptive Hacking Date: Wed, 12 Apr 2006 00:56:20 +0200 Message-Id: <1144796180.805.41.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 22:56:52 -0000 On Tue, 2006-04-04 at 16:57 +0200, Daniel Hartmeier wrote: > It begins to look like OpenBSD does fix IP checksums on bridges outside > of pf, while FreeBSD doesn't. > > The weird thing is that I haven't found where exactly this happens. It's > kind of a layer violation for bridge code to do that, but maybe it's > somewhere else along the code path. > > Instead of adding checksum fixup code again, I think it's better to take > a step back and find out why the checksums are correct on OpenBSD. The > previous fixes assumed the checksums would be wrong on OpenBSD as well, > but they related to pf actions more subtle than basic fragment > reassembly. i noticed a nfs freeze which might be related to the same issue. the setup is : one bridge with four interfaces (dc driver) + clients and servers on dc1 and dc2. bridge, client and server are running 6.0-RELEASE-p6 with pf. dc0 is my external interface where i apply filtering. pf does not filter on three others (set skip {dc1, dc2, dc3}). ls -R /mnt from client to server on the same interface works well. but if it goes through different interfaces it freezes after few entries. i changed the transport protocol from udp to tcp and it fixed it. can it be related to udp handling ? i have an other question out of this topic. i read on openbsd pf's faq that filtering on only one interface is highly recommended. can you give me more information about that ? -- Matthieu Michaud EPITA SRS 2007 - Adaptive Hacking