From owner-freebsd-net@FreeBSD.ORG Fri Jun 8 15:36:35 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D108106566C for ; Fri, 8 Jun 2012 15:36:35 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2BA2E8FC12 for ; Fri, 8 Jun 2012 15:36:34 +0000 (UTC) Received: by eaac13 with SMTP id c13so1466546eaa.13 for ; Fri, 08 Jun 2012 08:36:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=NI/ObvTvAmXnFN8w85uqmkNNKQLtG+UOL3opdmpE9Nk=; b=HiyqVoGkO+P7vNTkHdSXY+CYZqfkoQDhxMSjmKk3jNOjRGazjp+qZSg8w5boXwze5n rrdUzKoy60uR1kNI/VKqE686nHzFwcR8ZDwE9MpM5aESKfJsOJRctSY/PHtZ/lm1s/tH UHOhFX6IHBo4Ix61iQRIjqaFmxaTakfkps10FhMYvr4JFMGYpwLKHh2HivAuFp1DIKA/ KA5l3jIBhfYXpgFVAJ8zd0nOK45j/aMU65IK/Jr0IVypXDFQxfcQOpW7Hy2WhA887d/c RfWEpaw4gPeyXZiJLFbyBDXOP84jIyo/B52JLZppTOcxXSRUxHhmlsnunLQJAx4clmfE pqRQ== Received: by 10.14.37.69 with SMTP id x45mr4135305eea.48.1339169793737; Fri, 08 Jun 2012 08:36:33 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id x52sm23481792eea.11.2012.06.08.08.36.32 (version=SSLv3 cipher=OTHER); Fri, 08 Jun 2012 08:36:33 -0700 (PDT) Message-ID: <4FD21BFF.4080803@my.gd> Date: Fri, 08 Jun 2012 17:36:31 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <4FD213DA.8050300@aliceblue.jp> In-Reply-To: <4FD213DA.8050300@aliceblue.jp> Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQn0DL50RVjKWKpm2UdhTfwXuu/teNbn5TY0yzWqWph6Eq1JOdeOPArSi0urQBFLX7o0ObPZ Subject: Re: PF "scrub reassemble tcp" makes a packet with invalid TCP checksum depending on the situation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2012 15:36:35 -0000 On 6/8/12 5:01 PM, Kazuaki ODA wrote: > Hi all, > > Recently I received a e-mail from our customer that he could not browse > our web site. I thought that was strange at first because we and most > people could browse without problems, but he could not...umm, why? > > After some investigation I've found that our web server ignores SYN > packet he sent because that has invalid TCP checksum, and his original > packet has correct checksum but that is broken after passing our > firewall using PF packet filter on 7.4-RELASE. And further more, I've > noticed that such a invalid packet is made when original packet has TCP > timestamp option and the option does not start at 16-bit word boundary > like a packet that has TCP options . > > After all, disabling "scrub reassemble tcp" rule resolved this problem. > But I have some questions: > > Is this a bug in PF code, or original packet violates RFC? As far as I > know, last TCP option must end at 32-bit boundary but there is no > restriction for each options about position, order etc. So I think this > is a bug. Correct? > > How many systems in the world that create such a SYN packet? I think > that many OSes add NOP options before timestamp option to adjust the > starting position, but the one our customer has does not. Unfortunately > I cannot get information from him about his network environment... > > -- > Kazuaki ODA Oh god, that font... Anyway, Reporting that we experience a problem that looks very much the same here on, at least, 8.1-RELEASE, 8.2-RELEASE. Unconfirmed on 8.3-RELEASE and 8-STABLE as we have not tested. We've also had to disabled tcp reassembly in scrubbing as it incorrectly caused packets to be dropped.