From owner-freebsd-pf@FreeBSD.ORG Mon May 8 23:34:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 934CF16A457 for ; Mon, 8 May 2006 23:34:42 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73C4443D73 for ; Mon, 8 May 2006 23:34:31 +0000 (GMT) (envelope-from pyunyh@gmail.com) Received: by nz-out-0102.google.com with SMTP id i11so1287195nzi for ; Mon, 08 May 2006 16:34:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=c9N8BOW0kqkDG8bfC7xgqYICBhpfwdAKD+UJHC4PhRRmeSNkCSrKcTqPBpVEFQkz/HICa+5BITaqJsZEq/YhassLheetrZaNERpS4HiuJtBxS+FMPGlNN9RPPcKHDHMHUL1i0Tj5SqX55MmbdwJvcWp0S2gq02anEjJ2qFFj5wk= Received: by 10.36.9.3 with SMTP id 3mr4023052nzi; Mon, 08 May 2006 16:34:30 -0700 (PDT) Received: from michelle.cdnetworks.co.kr ( [211.53.35.84]) by mx.gmail.com with ESMTP id 38sm5180462nza.2006.05.08.16.34.28; Mon, 08 May 2006 16:34:30 -0700 (PDT) Received: from michelle.cdnetworks.co.kr (localhost.cdnetworks.co.kr [127.0.0.1]) by michelle.cdnetworks.co.kr (8.13.5/8.13.5) with ESMTP id k48NXxuo006745 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 May 2006 08:33:59 +0900 (KST) (envelope-from pyunyh@gmail.com) Received: (from yongari@localhost) by michelle.cdnetworks.co.kr (8.13.5/8.13.5/Submit) id k48NXv0J006744; Tue, 9 May 2006 08:33:57 +0900 (KST) (envelope-from pyunyh@gmail.com) Date: Tue, 9 May 2006 08:33:57 +0900 From: Pyun YongHyeon To: Adam McDougall Message-ID: <20060508233357.GA6572@cdnetworks.co.kr> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060508154929.GS30200@egr.msu.edu> User-Agent: Mutt/1.4.2.1i Cc: Andrew Thompson , freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyunyh@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 23:34:42 -0000 On Mon, May 08, 2006 at 11:49:30AM -0400, Adam McDougall wrote: > On Sun, Apr 16, 2006 at 05:30:23PM +1200, Andrew Thompson wrote: > > On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: > > On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > > > > > The other big problem that just crossed my mind: Reassembly in the bridge > > > path!? It doesn't look like the current bridge code on either OS is ready to > > > deal with packets > MTU coming out of the filter. The question here is > > > probably how much IP processing we want to do in the bridge code? > > > > OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted > > ip_fragment() so it could be called from there, and not too much code > > had to be duplicated. > > > > Here is a patch that adds fragmenting, largely based on whats in > OpenBSD. I didnt bring over bridge_send_icmp_err() as we can only get a > large packet to fragment by reassembling a previous fragment, checking > for DF and sending an icmp doesnt apply to us. > As You can get jumbo frames(which is common feature for modern GigE) you should be prepared to fragment the frame. Because you may get the first ethernet member's MTU for bridge(4) there is still chance to get other sized MTU which could be larger than the first ethernet member's MTU. Personally I beleive OpenBSD's bridge_send_icmp_err() or equivalent is needed for FreeBSD too. > Can I get a review, esp. the traversal of the mbufs. > > > cheers, > Andrew > > I should have a chance to test this support this week, thanks for working > on it. Could someone possibly produce a patch to force if_bridge to > recalculate the checksum on every packet so I can test that as well? > To me, the extra load on the firewall is less important than breaking > packets I am trying to pass. -- Regards, Pyun YongHyeon