From owner-freebsd-pf@FreeBSD.ORG Mon Jun 4 19:44:32 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 445E816A46B for ; Mon, 4 Jun 2007 19:44:32 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id A65B713C457 for ; Mon, 4 Jun 2007 19:44:31 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id 8DA98958B6; Mon, 4 Jun 2007 16:44:30 -0300 (BRT) Date: Mon, 4 Jun 2007 16:44:30 -0300 From: Hugo Koji Kobayashi To: Max Laier Message-ID: <20070604194430.GD21681@registro.br> References: <20070528224225.GC40678@registro.br> <200705301002.04911.max@love2party.net> <20070531134923.GH39552@registro.br> <200706021704.53787.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="yEPQxsgoJgBvi8ip" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200706021704.53787.max@love2party.net> User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 19:44:32 -0000 --yEPQxsgoJgBvi8ip Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Hi Max, pf is running on the DNS client machine. The DNS server is on a completely different network (I don't control this server). The client can send the udp request with no problem (it's a small udp datagram; less than 512 bytes), the server sends the udp response fragmented, but the client can't receive it. Please, find attached a new test with the requested information. Regards, Hugo On Sat, Jun 02, 2007 at 05:04:52PM +0200, Max Laier wrote: > Hi Hugo, > > On Thursday 31 May 2007, Hugo Koji Kobayashi wrote: > > Please find attached the tests results after enabling extended > > logging. > > > > I've done the test twice, changing dig's "+bufsize" parameter. > > looking at your log file, it seems that the packet traverses pf alright: > > > ---- Console begin > > pf_normalize_ip: reass frag 11881 @ 0-1480 > > pf_normalize_ip: reass frag 11881 @ 1480-2960 > > pf_normalize_ip: reass frag 11881 @ 2960-4094 > > pf_reassemble: 4094 < 4094? > > pf_reassemble: complete: 0xc4338000(4114) > > ---- Console end > > > > fbsd7# date ; pfctl -si > > Tue May  8 04:15:24 BRT 2007 > > No ALTQ support in kernel > > ALTQ related functions disabled > > Status: Enabled for 0 days 00:05:27             Debug: Misc > > > > Hostid: 0xfd3ea603 > > > > State Table                          Total             Rate > >   current entries                        3               > >   searches                             405            1.2/s > >   inserts                               40            0.1/s > >   removals                              37            0.1/s > > Counters > >   match                                 40            0.1/s > >   bad-offset                             0            0.0/s > >   fragment                               0            0.0/s > >   short                                  0            0.0/s > >   normalize                              0            0.0/s > >   memory                                 0            0.0/s > >   bad-timestamp                          0            0.0/s > >   congestion                             0            0.0/s > >   ip-option                              0            0.0/s > >   proto-cksum                            0            0.0/s > >   state-mismatch                         0            0.0/s > >   state-insert                           0            0.0/s > >   state-limit                            0            0.0/s > >   src-limit                              0            0.0/s > >   synproxy                               0            0.0/s > > So the culprit should be somewhere up the stack. i.e. FreeBSD chokes on > the already reassembled packet. Could you also provide netstat -ssp udp > and netstat -ssp ip from before and after your test to get an idea where > the packet is lost? To make sure I understand your setup correctly: pf > is running on the DNS server i.e. the destination address of the datagram > is a local address? > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News --yEPQxsgoJgBvi8ip Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf-edns0-tests-2.txt" fbsd7# date ; pfctl -si Tue May 8 07:59:57 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:01 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 975 0.6/s inserts 42 0.0/s removals 37 0.0/s Counters match 42 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date ; pfctl -xm Tue May 8 08:00:00 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled debug level set to 'misc' fbsd7# date ; pfctl -si Tue May 8 08:00:03 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:07 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 989 0.7/s inserts 42 0.0/s removals 37 0.0/s Counters match 42 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date; netstat -ssp udp Tue May 8 08:00:06 BRT 2007 udp: 36 datagrams received 2 with bad checksum 34 delivered 40 datagrams output fbsd7# date; netstat -ssp ip Tue May 8 08:00:09 BRT 2007 ip: 521 total packets received 514 packets for this host 489 packets sent from this host fbsd7# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached ---- Console begin pf_normalize_ip: reass frag 43470 @ 0-1480 pf_normalize_ip: reass frag 43470 @ 1480-2960 pf_normalize_ip: reass frag 43470 @ 2960-4094 pf_reassemble: 4096 < 4096? pf_reassemble: complete: 0x433bb00(4116) ---- Console end fbsd7# date; netstat -ssp udp Tue May 8 08:00:19 BRT 2007 udp: 36 datagrams received 3 with bad checksum 33 delivered 41 datagrams output fbsd7# date; netstat -ssp ip Tue May 8 08:00:24 BRT 2007 ip: 533 total packets received 523 packets for this host 501 packets sent from this host fbsd7# date ; pfctl -si Tue May 8 08:00:27 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:25:31 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 1031 0.7/s inserts 43 0.0/s removals 38 0.0/s Counters match 43 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s --yEPQxsgoJgBvi8ip--