Site Navigation

Date:      Thu, 11 Nov 2010 03:47:01 -0800 (PST)
From:      Kirill Yelizarov <ykirill@yahoo.com>
To:        freebsd-stable@freebsd.org
Subject:   Re: icmp packets on em larger than 1472 [SEC=UNCLASSIFIED]
Message-ID:  <687600.57858.qm@web120511.mail.ne1.yahoo.com>
In-Reply-To: <816869.17580.qm@web120510.mail.ne1.yahoo.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

=0A=0A--- On Thu, 11/11/10, Kirill Yelizarov <ykirill@yahoo.com> wrote:=0A=
=0A> From: Kirill Yelizarov <ykirill@yahoo.com>=0A> Subject: Re: icmp packe=
ts on em larger than 1472 [SEC=3DUNCLASSIFIED]=0A> To: freebsd-stable@freeb=
sd.org=0A> Date: Thursday, November 11, 2010, 10:49 AM=0A> =0A> =0A> --- On=
 Thu, 11/11/10, Kevin Oberman <oberman@es.net>=0A> wrote:=0A> =0A> > From: =
Kevin Oberman <oberman@es.net>=0A> > Subject: Re: icmp packets on em larger=
 than 1472=0A> [SEC=3DUNCLASSIFIED]=0A> > To: "Wilkinson, Alex" <alex.wilki=
nson@dsto.defence.gov.au>=0A> > Cc: freebsd-stable@freebsd.org=0A> > Date: =
Thursday, November 11, 2010, 8:26 AM=0A> > > Date: Thu, 11 Nov 2010 13:01:2=
6=0A> > +0800=0A> > > From: "Wilkinson, Alex" <alex.wilkinson@dsto.defence.=
gov.au>=0A> > > Sender: owner-freebsd-stable@freebsd.org=0A> > > =0A> > > =
=0A> > >=A0 =A0=A0=A00n Wed, Nov 10, 2010 at=0A> > 04:21:12AM -0800, Kirill=
 Yelizarov wrote: =0A> > > =0A> > >=A0 =A0=A0=A0>All my em cards running=0A=
> > 8.1 stable don't reply to icmp echo requests packets=0A> larger=0A> > t=
han 1472 bytes.=0A> > >=A0 =A0=A0=A0>=0A> > >=A0 =A0=A0=A0>On stable 7.2 th=
e same=0A> > hardware works as expected:=0A> > >=A0 =A0=A0=A0># ping -s 150=
0=0A> > 192.168.64.99=0A> > >=A0 =A0=A0=A0>PING 192.168.64.99=0A> > (192.16=
8.64.99): 1500 data bytes=0A> > >=A0 =A0=A0=A0>1508 bytes from=0A> > 192.16=
8.64.99: icmp_seq=3D0 ttl=3D63 time=3D1.249 ms=0A> > >=A0 =A0=A0=A0>1508 by=
tes from=0A> > 192.168.64.99: icmp_seq=3D1 ttl=3D63 time=3D1.158 ms=0A> > >=
=A0 =A0=A0=A0>=0A> > >=A0 =A0=A0=A0>Here is the dump on em=0A> > interface=
=0A> > >=A0 =A0=A0=A0>15:06:31.452043 IP=0A> > 192.168.66.65 > *****: ICMP =
echo request, id 28729,=0A> seq=0A> > 5, length 1480=0A> > >=A0 =A0=A0=A0>1=
5:06:31.452047 IP=0A> > 192.168.66.65 > ****: icmp=0A> > >=A0 =A0=A0=A0>15:=
06:31.452069 IP ****=0A> > > 192.168.66.65: ICMP echo reply, id 28729, seq =
5,=0A> length=0A> > 1480=0A> > >=A0 =A0=A0=A0>15:06:31.452071 IP ***=0A> > =
> 192.168.66.65: icmp=0A> > >=A0 =A0=A0=A0> =0A> > >=A0 =A0=A0=A0>Same ping=
 from same source=0A> > (it's a 8.1 stable with fxp interface) to em card=
=0A> running=0A> > 8.1 stable=0A> > >=A0 =A0=A0=A0>#pciconf -lv=0A> > >=A0=
=0A> > =A0=A0=A0>em0@pci0:3:4:0:=A0=A0=A0=0A> > class=3D0x020000 card=3D0x1=
0798086 chip=3D0x10798086=0A> rev=3D0x03=0A> > hdr=3D0x00=0A> > >=A0 =A0=A0=
=A0>=A0 =A0 vendor=A0=0A> > =A0=A0=A0=3D 'Intel Corporation'=0A> > >=A0 =A0=
=A0=A0>=A0 =A0 device=A0=0A> > =A0=A0=A0=3D 'Dual Port Gigabit Ethernet Con=
troller=0A> > (82546EB)'=0A> > >=A0 =A0=A0=A0>=A0 =A0 class=A0=0A> > =A0 =
=A0 =3D network=0A> > >=A0 =A0=A0=A0>=A0 =A0=0A> > subclass=A0=A0=A0=3D eth=
ernet=0A> > >=A0 =A0=A0=A0>=0A> > >=A0 =A0=A0=A0># ping -s 1472=0A> > 192.1=
68.64.200=0A> > >=A0 =A0=A0=A0>PING 192.168.64.200=0A> > (192.168.64.200): =
1472 data bytes=0A> > >=A0 =A0=A0=A0>1480 bytes from=0A> > 192.168.64.200: =
icmp_seq=3D0 ttl=3D63 time=3D0.848 ms=0A> > >=A0 =A0=A0=A0>^C=0A> > >=A0 =
=A0=A0=A0>=0A> > >=A0 =A0=A0=A0># ping -s 1473=0A> > 192.168.64.200=0A> > >=
=A0 =A0=A0=A0>PING 192.168.64.200=0A> > (192.168.64.200): 1473 data bytes=
=0A> > >=A0 =A0=A0=A0>^C=0A> > >=A0 =A0=A0=A0>--- 192.168.64.200 ping=0A> >=
 statistics ---=0A> > >=A0 =A0=A0=A0>4 packets transmitted, 0=0A> > packets=
 received, 100.0% packet loss=0A> > > =0A> > > works fine for me:=0A> > > =
=0A> > > FreeBSD 8.1-STABLE #0 r213395=0A> > > =0A> > > em0@pci0:0:25:0:cla=
ss=3D0x020000 card=3D0x3035103c=0A> > chip=3D0x10de8086 rev=3D0x02 hdr=3D0x=
00=0A> > >=A0 =A0=A0=A0vendor=A0=0A> > =A0=A0=A0=3D 'Intel Corporation'=0A>=
 > >=A0 =A0=A0=A0device=A0=0A> > =A0=A0=A0=3D 'Intel Gigabit network connec=
tion=0A> > (82567LM-3 )'=0A> > >=A0 =A0=A0=A0class=A0 =A0 =A0 =3D=0A> > net=
work=0A> > >=A0 =A0=A0=A0subclass=A0=A0=A0=3D=0A> > ethernet=0A> > > =0A> >=
 > #ping -s 1473 host=0A> > > PING host(192.168.1.1): 1473 data bytes=0A> >=
 > 1481 bytes from 192.168.1.1: icmp_seq=3D0 ttl=3D253=0A> > time=3D31.506 =
ms=0A> > > 1481 bytes from 192.168.1.1: icmp_seq=3D1 ttl=3D253=0A> > time=
=3D31.493 ms=0A> > > 1481 bytes from 192.168.1.1: icmp_seq=3D2 ttl=3D253=0A=
> > time=3D31.550 ms=0A> > > ^C=0A> > =0A> > The reason the '-s 1500' worke=
d was that the packets=0A> were=0A> > fragmented. If=0A> > I add the '-D' o=
ption, '-s 1473' fails on v7 and v8.=0A> Are=0A> > the V8 systems=0A> > whe=
re you see if failing without the '-D' on the same=0A> > network segment?=
=0A> > If not, it is likely that an intervening device is=0A> refusing=0A> =
> to fragment=0A> > the packet. (Some routers deliberately don't fragment=
=0A> ICMP=0A> > Echos Request=0A> > packets.) =0A> =0A> If i set -D -s 1473=
 sender side refuses to ping and that is=0A> correct. All mentioned above m=
achines are behind the same=0A> router and switch. Same hardware running v7=
 is working while=0A> v8 is not. And i never saw such problems before.=A0 A=
lso=0A> correct me if i'm wrong but the dump shows that the packet=0A> arri=
ved. I'll try driver from head and will post here=0A> results. =0A> =0A Sha=
me on me! It was pf. I disabled scrubbing. Any of the two methods work=0A=
=0A1.=0Ascrub in all=0Aicmp_types =3D "{0, 3, 4, 8, 11 }"=0Apass out quick =
on $inside_if proto icmp from $inside_ip to any icmp-type $icmp_types no st=
ate=0Apass in quick on $inside_if proto icmp from any to $inside_ip icmp-ty=
pe $icmp_types no state=0A=0A2.=0Apass out quick on $inside_if proto icmp f=
rom $inside_ip to any no state=0Apass in quick on $inside_if proto icmp fro=
m any to $inside_ip no state=0AThis works without scrubbing=0A=0AKeep state=
 also working=0A=0AI disabled scrubbing because it seems to slow down nfs (=
i'm not shure if this is right) and i specified icmp types i want to use. W=
hat am i doing wrong with firewall icmp rules? Tcpdump shows echo requests =
and replies only.=0A=0AI also compiled new driver from HEAD. It is working =
like the old one. And firewall with igb has scrubbing.=0A=0AKirill=0A=0A> K=
irill=0A> > -- =0A> > R. Kevin Oberman, Network Engineer=0A> > Energy Scien=
ces Network (ESnet)=0A> > Ernest O. Lawrence Berkeley National Laboratory=
=0A> (Berkeley=0A> > Lab)=0A> > E-mail: oberman@es.net=A0=A0=A0=0A> > =A0=
=A0=A0 =A0=A0=A0 Phone: +1 510=0A> > 486-8634=0A> > Key fingerprint:059B 2D=
DF 031C 9BA3 14A4=A0 EADA 927D=0A> > EBB3 987B 3751=0A> > _________________=
______________________________=0A> > freebsd-stable@freebsd.org=0A> > maili=
ng list=0A> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable=0A>; =
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"=
=0A> > =0A> =0A> =0A> =0A> _______________________________________________=
=0A> freebsd-stable@freebsd.org=0A> mailing list=0A> http://lists.freebsd.o=
rg/mailman/listinfo/freebsd-stable=0A> To unsubscribe, send any mail to "fr=
eebsd-stable-unsubscribe@freebsd.org"=0A> =0A=0A=0A      

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?687600.57858.qm>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact