From owner-freebsd-bugs@freebsd.org Sat Aug 31 20:52:53 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2F3AEDBC9A for ; Sat, 31 Aug 2019 20:52:53 +0000 (UTC) (envelope-from laszlo@karolyi.hu) Received: from ksol.io (mail.ksol.io [IPv6:2a01:4f8:13a:509::22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46LT7m1M8dz3P0q for ; Sat, 31 Aug 2019 20:52:51 +0000 (UTC) (envelope-from laszlo@karolyi.hu) Received: from Laszlos-MBP.localdomain (x4dbf583c.dyn.telefonica.de [77.191.88.60]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: laszlo@karolyi.hu) by ksol.io (Postfix) with ESMTPSA id CCB8951E2 for ; Sat, 31 Aug 2019 22:43:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=karolyi.hu; s=default; t=1567284182; bh=QW5pc9aT6/aPs9DGWNB9UE81rkyiiiriy5wyrHLUJ4w=; h=To:From:Subject:Date; b=Vh/Sq80KtYxI3zyH1o7lqobYCMzhCcwnIPzoC1fSFYYhD87lE5ZtHIOqfFUZ7u4yx 19l7mKFZCMaBJ+lk4GqyHvJ54MbZrtJkR6yTW4p0konpBu1Az2ZWi9FSBJP02IFj+M ipKP6zeEYCSof6+ppF4YfesoY3LvO8TrGKdohanxddEOw7qMhh4pC4Zsz43jyLvSz9 H864fdf1UCURyYrExJPKNWjbIo9PAkQUTqZx+hwiE4yQReHqzITfYYN7tkNWYctMZ5 TEmA34SnoGDPfA0sytdqbuCfS6i+/3lr6p5s7p7mWORSani09WJxUXB+A5pKspJXC5 h6mPl0vLTGTdg== To: freebsd-bugs@freebsd.org From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= Subject: PF and IPv6 UDP fragmented packets Openpgp: preference=signencrypt Autocrypt: addr=laszlo@karolyi.hu; prefer-encrypt=mutual; keydata= mQINBFkmCgUBEADDLqo9DxWDSivEEmI/bPwwT0nAzUH2sNfVMroOr5E999dkiAiXV0N6Yk1f GjqX6oZcQNRK4dSds6T7RjLwkyUtomzt0YOJdUsBB6Z067YoPBGl2N/TBd9KKVxPeo6Am1ct jmoQjqCuXPHdqht+At43Kko4/oJwI452n8uv+VpZNk3pIp38bvXvYDSRdrFHogfDw+qCvCDg LKLvClmneWe0ZEScdAdv+PHJAIqki3zOrOJtuggVuGv4jCrhxQa8fLI6DDqNuAR3+uiy/XUw P1WSEnJxGlGlJijqkXy9C+6R5w1Tiv2/K9QSXBeBbJE30FPQGOde4Qb7Klldgh2TjOIQ3WdU 8ni+0Dft/jpR9uQq/g1m/yDZfizBlFD/8Lj9ZaZTUm8AnSuI7oyYQrUBvqbto/ylM2oCKFlb swnpI7dndGL5Ao9QJ1QrBSDxqdoz4l8I+GZAgP5jMHrwGhv90oIVn3WgTu/vta5o8k5ruaR2 SiVDB380CZsAHkRx05tDzctLUCwZ+RO8LdOMSf5nUfv+w7EGEXvFJdgBIVgwMeZWXnBmsnzE B7iW/rtQR3eM0IV+ojzkmS8AQTricmuACqUKq0AAILaVmQ3zIWETcGCRGjyQ7KcuJTZ95E21 vKZQrgAk1/Sc1xnKEpFNfsrraCzVHiey3SUJmke8HNQ20RZ/KQARAQABtCVMw6FzemzDsyBL w6Fyb2x5aSA8bGFzemxvQGthcm9seWkuaHU+iQJZBBMBCABDAhsDBwsJCAcDAgEGFQgCCQoL BBYCAwECHgECF4ACGQEWIQQkMGzVGjgidiCL+0ItyvJeVXNb/gUCWwqLJAUJBagwGwAKCRAt yvJeVXNb/mo3D/95dpQVOvqlAFJOct8H/IHlV+2415AGCpfYCyFPM1ygt9W3SevCJE45TSXC LblgkrCMqZaoSx4Q2FT8CezspdPxpSPS160PYqujZdow+epnijjwLV89uYVD2OQ1LJVvZKwJ P+szTGh3utyAfiErRdgYLVpFJY6e8iY3kp6C/XX1vIqgl4FDsNYjUtn23Ffefqac7eWhrDGC WJov2uyrXNMoxKphYXHRbkKbUaUpi2/8NNzjUN04NJS13x4q5AIg/Nj407l6gk7ePvRjqnzO dt2Hb3KA77qeLgneNDUPqF3ho2WWJdMkLe6YGFykk8dvOTOnTycMwFnnhLKfCAZiSbwq9pht gy7e5SIblWemLMBvm21Hg1oRS6ROdhBsnyCw00qAmCds+Lc896aOyf6Q0Tml9Rq60QpanYoR /6EWbJ+/eNoLPa61jvdRvSoefqJ6GFRftHncYLy0ktoW+DUImtMDbIpvxrEYuvOGCX7mV6fd 7VDuDNzo4gISyycz9DouZKcr+Eyo2PGWUAZ+bz5eWfWrcx+9vC/NMECXSUPFFVzPkf894dZx N6ThgY4aAgOG0VxwVnBV2a3iyRDxOGbzNE4gWtrbxgKYU+aMiT6OUpPkKw1dAxeQHL8ZYtpK TU5K3Q/5vaHgILym/kkZf+kHTImrHsWpLkEz0zKooHv27g2EXLkCDQRZJgoFARAAxQ1swbfe UbAZNEf4a5INynrnAWNw/KtKCbUqHvH7zglejQMFORfX1PMP92B66YnJu5vX+axr6Fmcom7q /xQqeaLV3QScloolKkGGX1mxLJs49wD/DTRLsi5tq1yhP8JZiTSUHXdt7pYnG/h1OZRtWPfe NGL06bRdhpS0pFGOU1+WLCCHx8hy+BOcP1DfXNgEA2RhGhpB+AK80VLF84fCQ+HtajU1LNEo E72fE/3lc4YvpynvaxmuDNjeG6y1sAVj6zASLUPPE7VxorOIh65B8xz4zsmvMXF2duUTacPC eFoEr2xcWssxm3K+Nobt4PzbN4+H/3vAhH8XN1BVYfS4m8ndH9nr38ZrfrjCgdg9opi8gEGj bXbuhnkTzGJbu27tK+RE0sBRbguUhmOprBydqOR5mVZTUnuab/WZCNn2Re/zbC0hDW7xYfBi LhomQWfaGl5Af0vLRvudae9oLU9dTTysyghpsgNjaS40mOBy7oLwsnnHNfctdhLoXN9LVHu2 3UYoySB/apJV7p33S1BD4OclW9Mxplctoq9BZpFu3hSo2NmCpY2eD2V0KDgr04XL9Atdl2VU pw+s0OT79EVCjcOyPCdneUXPyHsA0CJ0QDcWI0cN0bi7CSHJL59D3TRbjZFMJ/NnMQ/N6CqO cxYo7NZWN+APLfIMbiLsypMFMbcAEQEAAYkCPAQYAQgAJgIbDBYhBCQwbNUaOCJ2IIv7Qi3K 8l5Vc1v+BQJbJAbQBQkFqKjLAAoJEC3K8l5Vc1v+EB4P/ictIUg64TJvmEb6JDTbuVE9p3oa UuSsAuvqM68WGVfc5ZUe/3VSyNCOfP2bL9pCyHpqewL0uSHi89K26u3VNrNaU1jsrh8SNJG8 vrJ7eUmuBH1QoEf7u6f/mjzBODLVYnq2BddPMLKtfgNNTM6HCrX4qRlwj6qbRRbsGuBZPIRQ C04u6CCXseI1z6cKWS8DcyWRLfCk3K1aYzP39xTBBHNX7TV9Bb/FbogUxjQK3D3USxmKqBlG 20FUYRX/qTwxxh/Tvme3eUV58amkgSpoCW4ftjM+ieAnhx0zzmFc1MaegiRSovndTux/P10M 7mWV9NeIWP1YGgd38lf2W+RYJt1K0KOhZXLTAuSXLvtz+twSZA/qoPpGcYR+NZzHJPCvfAh9 pQQGkBrpCgSmm2xkyIbP53l4W7WWMn92mDEzHQLsn59Lb9xsFCOIrVZxo4DgS01bUvhfEG30 Pv4KaSbVTwO4oLKmUj+0gjy4i7Xj9ENY4Yyxe94joXda6mzXKNrRk59BZgfaFG1zj+FHLbKT UdpgBdlYCOlgODL9KateS5UN0cu5oYdl45kheLPYKhGs9knZzpuHJX1VXiRzQWTNLhH7hwYP t6DR/2u8b8M+1Qw/RkY6h1A9VR8eMAGbHsN8818AzleZyfaoYp/n1fVujb5gXoG8XlWLboVr ia1euoIR Message-ID: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> Date: Sat, 31 Aug 2019 22:42:59 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Xt9z9U7ZJnSHPE80PpzbKNoMD3UUZF9TM" X-Rspamd-Queue-Id: 46LT7m1M8dz3P0q X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=karolyi.hu header.s=default header.b=Vh/Sq80K; dmarc=none; spf=none (mx1.freebsd.org: domain of laszlo@karolyi.hu has no SPF policy when checking 2a01:4f8:13a:509::22) smtp.mailfrom=laszlo@karolyi.hu X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[karolyi.hu:s=default]; RECEIVED_SPAMHAUS_PBL(0.00)[60.88.191.77.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; HAS_ATTACHMENT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-bugs@freebsd.org]; TO_DN_NONE(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[karolyi.hu]; DKIM_TRACE(0.00)[karolyi.hu:+]; NEURAL_HAM_SHORT(-0.94)[-0.944,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_SPF_NA(0.00)[]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-0.76)[ipnet: 2a01:4f8::/29(-1.97), asn: 24940(-1.81), country: DE(-0.01)]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2019 20:52:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Xt9z9U7ZJnSHPE80PpzbKNoMD3UUZF9TM Content-Type: multipart/mixed; boundary="UKPRXXCwKIiXGmJYp00DEDxRS5gKZIITC"; protected-headers="v1" From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= To: freebsd-bugs@freebsd.org Message-ID: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> Subject: PF and IPv6 UDP fragmented packets --UKPRXXCwKIiXGmJYp00DEDxRS5gKZIITC Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Hey, I've installed unbound into a jail to use it as a nameserver. After setting up PF to allow UDP fragments to the jail's IPv6 address, I still saw PF dropping the UDP fragment packages arriving to and from my jail. According to the pf.conf readme, the IP header of the fragmented packets still contain the protocol type (TCP/UDP), but not the port number. I hope it's not a documentation bug. Here are the pflog dump lines, showing what packages where dropped: 22:23:29.997907 rule 0/0(match): block in on em0: 2001:5a0:10::1 > 2a91:4f84:13a5:509f::32: frag (0|1232) 53 > 5494:=C2=A0 [|udp] 22:23:29.997913 rule 0/0(match): block in on em0: 2001:5a0:10::1 > 2a91:4f84:13a5:509f::32: frag (1232|224) 22:23:30.401494 rule 0/0(match): block in on lo0: 2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (0|1232) 53 > 14204:=C2=A0 [|udp] 22:23:30.401496 rule 0/0(match): block in on lo0: 2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (1232|425) After a couple hours, I figured out that the culprit in the PF ruleset is the 'proto udp' definition. Here are the working rules: pass on $int_if inet6 proto tcp from any to $unbound_jail_ip6 port 53 keep state pass on $ext_if inet6 from any to $unbound_jail_ip6 keep state fragment pass on $int_if inet6 proto udp from any to $unbound_jail_ip6 port 53 keep state pass on $int_if inet6 from any to $unbound_jail_ip6 keep state fragment Referred part of the pf.conf readme: https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&apropos=3D0&sektion=3D= 5&manpath=3DFreeBSD+12.0-RELEASE+and+Ports&arch=3Ddefault&format=3Dhtml#e= nd Cheers,=20 -- L=C3=A1szl=C3=B3 K=C3=A1rolyi https://linkedin.com/in/karolyi --UKPRXXCwKIiXGmJYp00DEDxRS5gKZIITC-- --Xt9z9U7ZJnSHPE80PpzbKNoMD3UUZF9TM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJDBs1Ro4InYgi/tCLcryXlVzW/4FAl1q29MACgkQLcryXlVz W/6CxRAAszTIG/oUrGJE2m3SequiAoR3F+b53KCp6V2P/mDxPJ+LysNhA+DBjtpG AO0KycnuVdvICTzljXmyU5G/LpaNraxv/XSDRcDY7fZfIFm6T11i5w44PPazUYi4 crKXH8TfiKFmt0h9Ww/WWDG069ZPeEg82btjiiAqfLpOqGPELWQGdp03dpy5YboG tb16YA8eKeNglNWX4x+WgPezS2l7VBzfZPWn4zU1aMRoDEFCeK58Y0xhS2gPjPtZ vzQWdqXLLDne+qJ3r+60b5kqU6kTxJjd5QH6XAqGAXfY5Huhzeji6z0GeHTl3fYs 6ozr7CKhOcc+2NgHwugTGQOYEVwVq/YkPbArk7QyV1nhnSVJ/zTbalVNsB7J+toX GW+a1T2uGMoeBWrGmvAfJeo5Uo67eaqe0T/U7U1qjpDh5XiN8CU8QdKioV2v/uXe hDuR20pq2AOw4z7p/SUwQCoUSdP0ILE/2Bcmms49HGRnbM9uQ+fn8ARiSjSIYVt2 Hc8HyCCVwvsUhITRKBXhhxdIPEtcqgjfTaDxdGJDtGXSVps4ry8rD0S0K/wFkeCs vMgdMSBiWn8Hi/0lofBNQm8cf+/dzJDLDTFWCf2KH5wRB3R/4DUXpz6sYCYmfm47 20VkJM+exibHHTWUYxsyz9YYT5I9VekrfDHfyeoJE9YZ5AigPwE= =e47m -----END PGP SIGNATURE----- --Xt9z9U7ZJnSHPE80PpzbKNoMD3UUZF9TM--