From owner-freebsd-net@FreeBSD.ORG Sun Nov 9 20:16:01 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 16DE7CE1; Sun, 9 Nov 2014 20:16:01 +0000 (UTC) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CB9DB69BD6; Sun, 9 Nov 2014 20:16:00 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 8C3BEE3E6; Sun, 9 Nov 2014 21:15:57 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 87E082071C; Sun, 9 Nov 2014 21:15:57 +0100 (CET) Date: Sun, 9 Nov 2014 21:15:57 +0100 From: Kristof Provost To: Ilya Bakulin , Jim Thompson Subject: Re: Checksumming outgoing packets in PF vs in ip[6]_output Message-ID: <20141109201557.GH2044@vega.codepro.be> References: <1415210423.3394438.187470637.21CD8D3D@webmail.messagingengine.com> <9355b23f1a07008eca61f16ebd828d0b@mail.bakulin.de> <20141107133101.GF2044@vega.codepro.be> <545F6C8F.6010700@bakulin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <545F6C8F.6010700@bakulin.de> X-PGP-Fingerprint: E114 D9EA 909E D469 8F57 17A5 7D15 91C6 9EFA F286 X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-net@freebsd.org, Mark Felder X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Nov 2014 20:16:01 -0000 On 2014-11-09 14:30:55 (+0100), Ilya Bakulin wrote: > On 07.11.14, 14:31, Kristof Provost wrote: > > I've been playing with it too. I have a patch which seems to be working, > > but it currently drops the distinction between PFRULE_FRAGCROP and > > PFRULE_FRAGDROP. OpenBSD dropped that a while ago, but I figured FreeBSD > > wouldn't want user-visible changes. > > > > I've been meaning to look at that some more but ... ENOTIME. > > It's tentatively planned as a project for Chaos Congress (end of > > December), but no promises. > > > > If you like I can probably dig up the (non-clean) patches for you. > > > Yes, please do it, would be interesting to look at your code! > You can find the patch series here: http://www.sigsegv.be/files/pf_inet6_frag.tar and everything in one big patch here: http://www.sigsegv.be/files/pf_inet6_frag.patch It's not cleaned up yet, or even extensively tested. Basically the only testing that's been done is setting up a pf config to drop all traffic except icmp echo requests, and then sending out fragmented icmp echo requests. Without the patch those get dropped, with the patch they make it through the firewall. I've done some quick flood ping testing, so I'm reasonably confident it doesn't leak mbufs. I started from the OpenBSD work, and imported and adjusted their inet6 defragmentation patches. Regards, Kristof