From owner-freebsd-stable@FreeBSD.ORG Thu Nov 11 11:47:02 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71F72106566B for ; Thu, 11 Nov 2010 11:47:02 +0000 (UTC) (envelope-from ykirill@yahoo.com) Received: from nm3-vm0.bullet.mail.ne1.yahoo.com (nm3-vm0.bullet.mail.ne1.yahoo.com [98.138.91.55]) by mx1.freebsd.org (Postfix) with SMTP id 2E8408FC14 for ; Thu, 11 Nov 2010 11:47:02 +0000 (UTC) Received: from [98.138.90.55] by nm3.bullet.mail.ne1.yahoo.com with NNFMP; 11 Nov 2010 11:47:01 -0000 Received: from [98.138.89.163] by tm8.bullet.mail.ne1.yahoo.com with NNFMP; 11 Nov 2010 11:47:01 -0000 Received: from [127.0.0.1] by omp1019.mail.ne1.yahoo.com with NNFMP; 11 Nov 2010 11:47:01 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 783856.93638.bm@omp1019.mail.ne1.yahoo.com Received: (qmail 62248 invoked by uid 60001); 11 Nov 2010 11:47:01 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1289476021; bh=qe6H2IROrjZ2QAmk38EZHvp7Ryj08Mov825Ab6n1o3E=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=x9pQRy9t/GNzwqHOfnUBU3XLUUZ+FaArTmEKRfNicEqmwY0bHtWNOgYNF6ptvCDAa7NZRd/ivl/VvbyPm9FoKRDJZSQ10oXe+udHreKlwYv7zCZkd/ZDTZiJ6cLI0Szp8A9ZDHnbxaPLAsoGI2VraRrlWDAPV8yA7dEOyMOTj1E= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=lw03X0X98iTO2F8vRZWHF5oK8ShtOATKKk54vaZxk3iQDSc7aUvsbK9cA3NuksoK31Stqu9T6BdMYfbhnUAEvjm9YY+02oM7tejF88Y91ZrMQtROgyAjPstCWykeVq05h+QDi+rMTQ/u3CdV8b0jTl3SyTnUt/3+sJ29D3x5NSI=; Message-ID: <687600.57858.qm@web120511.mail.ne1.yahoo.com> X-YMail-OSG: xX9S3gAVM1klykpQrtHOW70T4IoKFowML7KvLO7A5AkUuxL SrdQOyE.u8kwdfknoDuayP9DzMjq9w7L3Fv08Ayb.yjbYmzsVmAjHZPWbMmM GASMFH9HbGu3UwpX6kJLlk.Ad_7SswP4RDpVl8tUx0zdLPqaW.ImkawOL9qs Pu8fdoiQ7wNisC2wN7wQ_JP.Pzq8enGvkxqSHUNT9cA8MGJAz3Pf8SCeUvZV LKjml4vgvkUWfma76ihMH50iR9cGtxZ5bVh_jBya3Eq713QHDNMuhucw2tYY YON7czn6BeS2JsAP34GtZM_Q- Received: from [212.74.229.235] by web120511.mail.ne1.yahoo.com via HTTP; Thu, 11 Nov 2010 03:47:01 PST X-Mailer: YahooMailClassic/11.4.7 YahooMailWebService/0.8.107.285259 Date: Thu, 11 Nov 2010 03:47:01 -0800 (PST) From: Kirill Yelizarov To: freebsd-stable@freebsd.org In-Reply-To: <816869.17580.qm@web120510.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: icmp packets on em larger than 1472 [SEC=UNCLASSIFIED] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2010 11:47:02 -0000 =0A=0A--- On Thu, 11/11/10, Kirill Yelizarov wrote:=0A= =0A> From: Kirill Yelizarov =0A> Subject: Re: icmp packe= ts on em larger than 1472 [SEC=3DUNCLASSIFIED]=0A> To: freebsd-stable@freeb= sd.org=0A> Date: Thursday, November 11, 2010, 10:49 AM=0A> =0A> =0A> --- On= Thu, 11/11/10, Kevin Oberman =0A> wrote:=0A> =0A> > From: = Kevin Oberman =0A> > Subject: Re: icmp packets on em larger= than 1472=0A> [SEC=3DUNCLASSIFIED]=0A> > To: "Wilkinson, Alex" =0A> > Cc: freebsd-stable@freebsd.org=0A> > Date: = Thursday, November 11, 2010, 8:26 AM=0A> > > Date: Thu, 11 Nov 2010 13:01:2= 6=0A> > +0800=0A> > > From: "Wilkinson, Alex" =0A> > > Sender: owner-freebsd-stable@freebsd.org=0A> > > =0A> > > = =0A> > >=A0 =A0=A0=A00n Wed, Nov 10, 2010 at=0A> > 04:21:12AM -0800, Kirill= Yelizarov wrote: =0A> > > =0A> > >=A0 =A0=A0=A0>All my em cards running=0A= > > 8.1 stable don't reply to icmp echo requests packets=0A> larger=0A> > t= han 1472 bytes.=0A> > >=A0 =A0=A0=A0>=0A> > >=A0 =A0=A0=A0>On stable 7.2 th= e same=0A> > hardware works as expected:=0A> > >=A0 =A0=A0=A0># ping -s 150= 0=0A> > 192.168.64.99=0A> > >=A0 =A0=A0=A0>PING 192.168.64.99=0A> > (192.16= 8.64.99): 1500 data bytes=0A> > >=A0 =A0=A0=A0>1508 bytes from=0A> > 192.16= 8.64.99: icmp_seq=3D0 ttl=3D63 time=3D1.249 ms=0A> > >=A0 =A0=A0=A0>1508 by= tes from=0A> > 192.168.64.99: icmp_seq=3D1 ttl=3D63 time=3D1.158 ms=0A> > >= =A0 =A0=A0=A0>=0A> > >=A0 =A0=A0=A0>Here is the dump on em=0A> > interface= =0A> > >=A0 =A0=A0=A0>15:06:31.452043 IP=0A> > 192.168.66.65 > *****: ICMP = echo request, id 28729,=0A> seq=0A> > 5, length 1480=0A> > >=A0 =A0=A0=A0>1= 5:06:31.452047 IP=0A> > 192.168.66.65 > ****: icmp=0A> > >=A0 =A0=A0=A0>15:= 06:31.452069 IP ****=0A> > > 192.168.66.65: ICMP echo reply, id 28729, seq = 5,=0A> length=0A> > 1480=0A> > >=A0 =A0=A0=A0>15:06:31.452071 IP ***=0A> > = > 192.168.66.65: icmp=0A> > >=A0 =A0=A0=A0> =0A> > >=A0 =A0=A0=A0>Same ping= from same source=0A> > (it's a 8.1 stable with fxp interface) to em card= =0A> running=0A> > 8.1 stable=0A> > >=A0 =A0=A0=A0>#pciconf -lv=0A> > >=A0= =0A> > =A0=A0=A0>em0@pci0:3:4:0:=A0=A0=A0=0A> > class=3D0x020000 card=3D0x1= 0798086 chip=3D0x10798086=0A> rev=3D0x03=0A> > hdr=3D0x00=0A> > >=A0 =A0=A0= =A0>=A0 =A0 vendor=A0=0A> > =A0=A0=A0=3D 'Intel Corporation'=0A> > >=A0 =A0= =A0=A0>=A0 =A0 device=A0=0A> > =A0=A0=A0=3D 'Dual Port Gigabit Ethernet Con= troller=0A> > (82546EB)'=0A> > >=A0 =A0=A0=A0>=A0 =A0 class=A0=0A> > =A0 = =A0 =3D network=0A> > >=A0 =A0=A0=A0>=A0 =A0=0A> > subclass=A0=A0=A0=3D eth= ernet=0A> > >=A0 =A0=A0=A0>=0A> > >=A0 =A0=A0=A0># ping -s 1472=0A> > 192.1= 68.64.200=0A> > >=A0 =A0=A0=A0>PING 192.168.64.200=0A> > (192.168.64.200): = 1472 data bytes=0A> > >=A0 =A0=A0=A0>1480 bytes from=0A> > 192.168.64.200: = icmp_seq=3D0 ttl=3D63 time=3D0.848 ms=0A> > >=A0 =A0=A0=A0>^C=0A> > >=A0 = =A0=A0=A0>=0A> > >=A0 =A0=A0=A0># ping -s 1473=0A> > 192.168.64.200=0A> > >= =A0 =A0=A0=A0>PING 192.168.64.200=0A> > (192.168.64.200): 1473 data bytes= =0A> > >=A0 =A0=A0=A0>^C=0A> > >=A0 =A0=A0=A0>--- 192.168.64.200 ping=0A> >= statistics ---=0A> > >=A0 =A0=A0=A0>4 packets transmitted, 0=0A> > packets= received, 100.0% packet loss=0A> > > =0A> > > works fine for me:=0A> > > = =0A> > > FreeBSD 8.1-STABLE #0 r213395=0A> > > =0A> > > em0@pci0:0:25:0:cla= ss=3D0x020000 card=3D0x3035103c=0A> > chip=3D0x10de8086 rev=3D0x02 hdr=3D0x= 00=0A> > >=A0 =A0=A0=A0vendor=A0=0A> > =A0=A0=A0=3D 'Intel Corporation'=0A>= > >=A0 =A0=A0=A0device=A0=0A> > =A0=A0=A0=3D 'Intel Gigabit network connec= tion=0A> > (82567LM-3 )'=0A> > >=A0 =A0=A0=A0class=A0 =A0 =A0 =3D=0A> > net= work=0A> > >=A0 =A0=A0=A0subclass=A0=A0=A0=3D=0A> > ethernet=0A> > > =0A> >= > #ping -s 1473 host=0A> > > PING host(192.168.1.1): 1473 data bytes=0A> >= > 1481 bytes from 192.168.1.1: icmp_seq=3D0 ttl=3D253=0A> > time=3D31.506 = ms=0A> > > 1481 bytes from 192.168.1.1: icmp_seq=3D1 ttl=3D253=0A> > time= =3D31.493 ms=0A> > > 1481 bytes from 192.168.1.1: icmp_seq=3D2 ttl=3D253=0A= > > time=3D31.550 ms=0A> > > ^C=0A> > =0A> > The reason the '-s 1500' worke= d was that the packets=0A> were=0A> > fragmented. If=0A> > I add the '-D' o= ption, '-s 1473' fails on v7 and v8.=0A> Are=0A> > the V8 systems=0A> > whe= re you see if failing without the '-D' on the same=0A> > network segment?= =0A> > If not, it is likely that an intervening device is=0A> refusing=0A> = > to fragment=0A> > the packet. (Some routers deliberately don't fragment= =0A> ICMP=0A> > Echos Request=0A> > packets.) =0A> =0A> If i set -D -s 1473= sender side refuses to ping and that is=0A> correct. All mentioned above m= achines are behind the same=0A> router and switch. Same hardware running v7= is working while=0A> v8 is not. And i never saw such problems before.=A0 A= lso=0A> correct me if i'm wrong but the dump shows that the packet=0A> arri= ved. I'll try driver from head and will post here=0A> results. =0A> =0A Sha= me on me! It was pf. I disabled scrubbing. Any of the two methods work=0A= =0A1.=0Ascrub in all=0Aicmp_types =3D "{0, 3, 4, 8, 11 }"=0Apass out quick = on $inside_if proto icmp from $inside_ip to any icmp-type $icmp_types no st= ate=0Apass in quick on $inside_if proto icmp from any to $inside_ip icmp-ty= pe $icmp_types no state=0A=0A2.=0Apass out quick on $inside_if proto icmp f= rom $inside_ip to any no state=0Apass in quick on $inside_if proto icmp fro= m any to $inside_ip no state=0AThis works without scrubbing=0A=0AKeep state= also working=0A=0AI disabled scrubbing because it seems to slow down nfs (= i'm not shure if this is right) and i specified icmp types i want to use. W= hat am i doing wrong with firewall icmp rules? Tcpdump shows echo requests = and replies only.=0A=0AI also compiled new driver from HEAD. It is working = like the old one. And firewall with igb has scrubbing.=0A=0AKirill=0A=0A> K= irill=0A> > -- =0A> > R. Kevin Oberman, Network Engineer=0A> > Energy Scien= ces Network (ESnet)=0A> > Ernest O. Lawrence Berkeley National Laboratory= =0A> (Berkeley=0A> > Lab)=0A> > E-mail: oberman@es.net=A0=A0=A0=0A> > =A0= =A0=A0 =A0=A0=A0 Phone: +1 510=0A> > 486-8634=0A> > Key fingerprint:059B 2D= DF 031C 9BA3 14A4=A0 EADA 927D=0A> > EBB3 987B 3751=0A> > _________________= ______________________________=0A> > freebsd-stable@freebsd.org=0A> > maili= ng list=0A> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable=0A> = > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"= =0A> > =0A> =0A> =0A> =0A> _______________________________________________= =0A> freebsd-stable@freebsd.org=0A> mailing list=0A> http://lists.freebsd.o= rg/mailman/listinfo/freebsd-stable=0A> To unsubscribe, send any mail to "fr= eebsd-stable-unsubscribe@freebsd.org"=0A> =0A=0A=0A