Date: Sat, 31 Aug 2019 22:42:59 +0200 From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= <laszlo@karolyi.hu> To: freebsd-bugs@freebsd.org Subject: PF and IPv6 UDP fragmented packets Message-ID: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Xt9z9U7ZJnSHPE80PpzbKNoMD3UUZF9TM Content-Type: multipart/mixed; boundary="UKPRXXCwKIiXGmJYp00DEDxRS5gKZIITC"; protected-headers="v1" From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= <laszlo@karolyi.hu> To: freebsd-bugs@freebsd.org Message-ID: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> Subject: PF and IPv6 UDP fragmented packets --UKPRXXCwKIiXGmJYp00DEDxRS5gKZIITC Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Hey, I've installed unbound into a jail to use it as a nameserver. After setting up PF to allow UDP fragments to the jail's IPv6 address, I still saw PF dropping the UDP fragment packages arriving to and from my jail. According to the pf.conf readme, the IP header of the fragmented packets still contain the protocol type (TCP/UDP), but not the port number. I hope it's not a documentation bug. Here are the pflog dump lines, showing what packages where dropped: 22:23:29.997907 rule 0/0(match): block in on em0: 2001:5a0:10::1 > 2a91:4f84:13a5:509f::32: frag (0|1232) 53 > 5494:=C2=A0 [|udp] 22:23:29.997913 rule 0/0(match): block in on em0: 2001:5a0:10::1 > 2a91:4f84:13a5:509f::32: frag (1232|224) 22:23:30.401494 rule 0/0(match): block in on lo0: 2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (0|1232) 53 > 14204:=C2=A0 [|udp] 22:23:30.401496 rule 0/0(match): block in on lo0: 2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (1232|425) After a couple hours, I figured out that the culprit in the PF ruleset is the 'proto udp' definition. Here are the working rules: pass on $int_if inet6 proto tcp from any to $unbound_jail_ip6 port 53 keep state pass on $ext_if inet6 from any to $unbound_jail_ip6 keep state fragment pass on $int_if inet6 proto udp from any to $unbound_jail_ip6 port 53 keep state pass on $int_if inet6 from any to $unbound_jail_ip6 keep state fragment Referred part of the pf.conf readme: https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&apropos=3D0&sektion=3D= 5&manpath=3DFreeBSD+12.0-RELEASE+and+Ports&arch=3Ddefault&format=3Dhtml#e= nd Cheers,=20 -- L=C3=A1szl=C3=B3 K=C3=A1rolyi https://linkedin.com/in/karolyi --UKPRXXCwKIiXGmJYp00DEDxRS5gKZIITC-- --Xt9z9U7ZJnSHPE80PpzbKNoMD3UUZF9TM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJDBs1Ro4InYgi/tCLcryXlVzW/4FAl1q29MACgkQLcryXlVz W/6CxRAAszTIG/oUrGJE2m3SequiAoR3F+b53KCp6V2P/mDxPJ+LysNhA+DBjtpG AO0KycnuVdvICTzljXmyU5G/LpaNraxv/XSDRcDY7fZfIFm6T11i5w44PPazUYi4 crKXH8TfiKFmt0h9Ww/WWDG069ZPeEg82btjiiAqfLpOqGPELWQGdp03dpy5YboG tb16YA8eKeNglNWX4x+WgPezS2l7VBzfZPWn4zU1aMRoDEFCeK58Y0xhS2gPjPtZ vzQWdqXLLDne+qJ3r+60b5kqU6kTxJjd5QH6XAqGAXfY5Huhzeji6z0GeHTl3fYs 6ozr7CKhOcc+2NgHwugTGQOYEVwVq/YkPbArk7QyV1nhnSVJ/zTbalVNsB7J+toX GW+a1T2uGMoeBWrGmvAfJeo5Uo67eaqe0T/U7U1qjpDh5XiN8CU8QdKioV2v/uXe hDuR20pq2AOw4z7p/SUwQCoUSdP0ILE/2Bcmms49HGRnbM9uQ+fn8ARiSjSIYVt2 Hc8HyCCVwvsUhITRKBXhhxdIPEtcqgjfTaDxdGJDtGXSVps4ry8rD0S0K/wFkeCs vMgdMSBiWn8Hi/0lofBNQm8cf+/dzJDLDTFWCf2KH5wRB3R/4DUXpz6sYCYmfm47 20VkJM+exibHHTWUYxsyz9YYT5I9VekrfDHfyeoJE9YZ5AigPwE= =e47m -----END PGP SIGNATURE----- --Xt9z9U7ZJnSHPE80PpzbKNoMD3UUZF9TM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03494d06-63ca-56c5-66bc-cf67704d6cea>