From owner-freebsd-net@FreeBSD.ORG Tue Nov 13 03:01:30 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6491116A468 for ; Tue, 13 Nov 2007 03:01:30 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id DC12D13C48D for ; Tue, 13 Nov 2007 03:01:29 +0000 (UTC) (envelope-from max@love2party.net) Received: from amd64.laiers.local (dslb-088-066-001-180.pools.arcor-ip.net [88.66.1.180]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1Irm1Q2j2b-0003oU; Tue, 13 Nov 2007 04:01:20 +0100 From: Max Laier Organization: FreeBSD To: Daniel Hartmeier Date: Tue, 13 Nov 2007 04:00:50 +0100 User-Agent: KMail/1.9.7 References: <86zlxoblmj.fsf@ds4.des.no> <200711090059.54990.max@love2party.net> <20071112153318.GE28276@insomnia.benzedrine.cx> In-Reply-To: <20071112153318.GE28276@insomnia.benzedrine.cx> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2348610.Mxk9AcOtoc"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711130401.02049.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+1DQxcHrqsdF+yyBH/pJO40tuhj5PS/9XAqDV ktw0FTfRUoR7YRqZWZv1qiYFqAQ24/bGl7IPVYOJoZJn9nw0WK 6Oibyjm9s4jcCxQEWGzxy8I/RegHuEYazfHF682s6M= Cc: Dag-Erling Sm?rgrav , freebsd-net@freebsd.org Subject: Re: pf misfeature X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 03:01:30 -0000 --nextPart2348610.Mxk9AcOtoc Content-Type: multipart/mixed; boundary="Boundary-01=_lNROHOlrXt6f+1l" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_lNROHOlrXt6f+1l Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 12 November 2007, Daniel Hartmeier wrote: > On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote: > > Daniel, do you spot anything strange with these skip steps (or > > otherwise)? > > The problem is the lack of IP reassembly in this configuration. > > In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is > skipped. Ah, I missed that one. Wouldn't it make sense to conditionalize these=20 tests on the protocol? The attached can probably be optimized, but you=20 get the general idea. It seems wrong that an explicit udp-rule behaves differently than an=20 implied one. > Generally, stateful filtering _requires_ IP reassembly. As long as no > fragmentation occurs, it works even without reassembly. I suspect your > UDP NFS traffic is fragmented. > > Try adding > > scrub in on $if all fragment reassemble > > at the top. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_lNROHOlrXt6f+1l Content-Type: text/x-diff; charset="iso-8859-1"; name="pf.cond-frag-check.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf.cond-frag-check.diff" Index: pf.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.50 diff -u -r1.50 pf.c --- pf.c 28 Oct 2007 17:12:46 -0000 1.50 +++ pf.c 13 Nov 2007 02:58:31 -0000 @@ -4560,9 +4560,17 @@ r = r->skip[PF_SKIP_DST_ADDR].ptr; else if (r->tos && !(r->tos == pd->tos)) r = TAILQ_NEXT(r, entries); - else if (r->src.port_op || r->dst.port_op || - r->flagset || r->type || r->code || - r->os_fingerprint != PF_OSFP_ANY) + else if (r->os_fingerprint != PF_OSFP_ANY) + r = TAILQ_NEXT(r, entries); + else if (pd->proto == IPPROTO_UDP && + (r->src.port_op || r->dst.port_op)) + r = TAILQ_NEXT(r, entries); + else if (pd->proto == IPPROTO_TCP && + (r->src.port_op || r->dst.port_op || r->flagset)) + r = TAILQ_NEXT(r, entries); + else if ((pd->proto == IPPROTO_ICMP || + pd->proto == IPPROTO_ICMPV6) && + (r->type || r->code)) r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); --Boundary-01=_lNROHOlrXt6f+1l-- --nextPart2348610.Mxk9AcOtoc Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHORNtXyyEoT62BG0RAq16AJ4zL3a+iKwElpx1jDcwKh8xRTmxRQCfaNKZ GXIhVM7cB44USWAY7raKz9w= =2qg3 -----END PGP SIGNATURE----- --nextPart2348610.Mxk9AcOtoc--