From owner-freebsd-pf@FreeBSD.ORG Mon May 8 23:53:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDF2B16A425 for ; Mon, 8 May 2006 23:53:31 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.FreeBSD.org (Postfix) with SMTP id 5EB4C43D4C for ; Mon, 8 May 2006 23:53:26 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id B75031CC1F; Tue, 9 May 2006 11:53:24 +1200 (NZST) Date: Tue, 9 May 2006 11:53:24 +1200 From: Andrew Thompson To: Pyun YongHyeon Message-ID: <20060508235324.GD16485@heff.fud.org.nz> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> <20060508233357.GA6572@cdnetworks.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060508233357.GA6572@cdnetworks.co.kr> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 23:53:32 -0000 On Tue, May 09, 2006 at 08:33:57AM +0900, Pyun YongHyeon wrote: > On Mon, May 08, 2006 at 11:49:30AM -0400, Adam McDougall wrote: > > On Sun, Apr 16, 2006 at 05:30:23PM +1200, Andrew Thompson wrote: > > > > On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote: > > > On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > > > > > > > The other big problem that just crossed my mind: Reassembly in the bridge > > > > path!? It doesn't look like the current bridge code on either OS is ready to > > > > deal with packets > MTU coming out of the filter. The question here is > > > > probably how much IP processing we want to do in the bridge code? > > > > > > OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted > > > ip_fragment() so it could be called from there, and not too much code > > > had to be duplicated. > > > > > > > Here is a patch that adds fragmenting, largely based on whats in > > OpenBSD. I didnt bring over bridge_send_icmp_err() as we can only get a > > large packet to fragment by reassembling a previous fragment, checking > > for DF and sending an icmp doesnt apply to us. > > > > As You can get jumbo frames(which is common feature for modern GigE) > you should be prepared to fragment the frame. Because you may > get the first ethernet member's MTU for bridge(4) there is still > chance to get other sized MTU which could be larger than the first > ethernet member's MTU. Personally I beleive OpenBSD's > bridge_send_icmp_err() or equivalent is needed for FreeBSD too. The bridge will take the MTU of the first interface but it also enforces subsequent interfaces to have the same value. Im not keen to allow bridging of different MTU sizes like OpenBSD allows and it only works for IP traffic anyway. A bridge is layer2, not layer3. /* Allow the first Ethernet member to define the MTU */ if (ifs->if_type != IFT_GIF) { if (LIST_EMPTY(&sc->sc_iflist)) sc->sc_ifp->if_mtu = ifs->if_mtu; else if (sc->sc_ifp->if_mtu != ifs->if_mtu) { if_printf(sc->sc_ifp, "invalid MTU for %s\n", ifs->if_xname); return (EINVAL); } } cheers, Andrew