Date: Tue, 13 Nov 2007 04:00:50 +0100 From: Max Laier <max@love2party.net> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: Dag-Erling Sm?rgrav <des@des.no>, freebsd-net@freebsd.org Subject: Re: pf misfeature Message-ID: <200711130401.02049.max@love2party.net> In-Reply-To: <20071112153318.GE28276@insomnia.benzedrine.cx> References: <86zlxoblmj.fsf@ds4.des.no> <200711090059.54990.max@love2party.net> <20071112153318.GE28276@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2348610.Mxk9AcOtoc
Content-Type: multipart/mixed;
boundary="Boundary-01=_lNROHOlrXt6f+1l"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--Boundary-01=_lNROHOlrXt6f+1l
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Monday 12 November 2007, Daniel Hartmeier wrote:
> On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:
> > Daniel, do you spot anything strange with these skip steps (or
> > otherwise)?
>
> The problem is the lack of IP reassembly in this configuration.
>
> In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is
> skipped.
Ah, I missed that one. Wouldn't it make sense to conditionalize these=20
tests on the protocol? The attached can probably be optimized, but you=20
get the general idea.
It seems wrong that an explicit udp-rule behaves differently than an=20
implied one.
> Generally, stateful filtering _requires_ IP reassembly. As long as no
> fragmentation occurs, it works even without reassembly. I suspect your
> UDP NFS traffic is fragmented.
>
> Try adding
>
> scrub in on $if all fragment reassemble
>
> at the top.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--Boundary-01=_lNROHOlrXt6f+1l
Content-Type: text/x-diff; charset="iso-8859-1"; name="pf.cond-frag-check.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="pf.cond-frag-check.diff"
Index: pf.c
===================================================================
RCS file: /home/ncvs/src/sys/contrib/pf/net/pf.c,v
retrieving revision 1.50
diff -u -r1.50 pf.c
--- pf.c 28 Oct 2007 17:12:46 -0000 1.50
+++ pf.c 13 Nov 2007 02:58:31 -0000
@@ -4560,9 +4560,17 @@
r = r->skip[PF_SKIP_DST_ADDR].ptr;
else if (r->tos && !(r->tos == pd->tos))
r = TAILQ_NEXT(r, entries);
- else if (r->src.port_op || r->dst.port_op ||
- r->flagset || r->type || r->code ||
- r->os_fingerprint != PF_OSFP_ANY)
+ else if (r->os_fingerprint != PF_OSFP_ANY)
+ r = TAILQ_NEXT(r, entries);
+ else if (pd->proto == IPPROTO_UDP &&
+ (r->src.port_op || r->dst.port_op))
+ r = TAILQ_NEXT(r, entries);
+ else if (pd->proto == IPPROTO_TCP &&
+ (r->src.port_op || r->dst.port_op || r->flagset))
+ r = TAILQ_NEXT(r, entries);
+ else if ((pd->proto == IPPROTO_ICMP ||
+ pd->proto == IPPROTO_ICMPV6) &&
+ (r->type || r->code))
r = TAILQ_NEXT(r, entries);
else if (r->prob && r->prob <= arc4random())
r = TAILQ_NEXT(r, entries);
--Boundary-01=_lNROHOlrXt6f+1l--
--nextPart2348610.Mxk9AcOtoc
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQBHORNtXyyEoT62BG0RAq16AJ4zL3a+iKwElpx1jDcwKh8xRTmxRQCfaNKZ
GXIhVM7cB44USWAY7raKz9w=
=2qg3
-----END PGP SIGNATURE-----
--nextPart2348610.Mxk9AcOtoc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711130401.02049.max>