Date: Thu, 02 Jun 2005 14:01:09 +1000 From: Mark Andrews <Mark_Andrews@isc.org> To: freebsd-stable@freebsd.org Subject: ipf and fragments Message-ID: <200506020401.j524199E090035@drugs.dv.isc.org>
next in thread | raw e-mail | index | archive | help
It looks like ipf in not handling fragmented UDP respones correctly. Is there anything in particular that I need to say to ipf to make it process the fragments? Unfragemented responses make it through the firewall. It appears to be independent of fragment order. FreeBSD bsdi.dv.isc.org 4.11-STABLE FreeBSD 4.11-STABLE #22: Mon Jan 3 22:18:47 EST 2005 marka@bsdi.dv.isc.org:/usr/obj/usr/src/sys/BSDI i386 Mark # ipfstat IPv6 packets: in 113941974 out 85668683 input packets: blocked 17889 passed 148735618 nomatch 39228854 counted 0 short 0 output packets: blocked 880 passed 118396248 nomatch 13144559 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 17468 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 162370 lost 260 packet state(out): kept 97632 lost 880 ICMP replies: 17464 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 75931163 (out): 73331918 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 272 failed: 0 Fastroute successes: 17464 failures: 0 TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0) none 13:44:50.908545 220.237.98.197.3484 > 65.201.175.17.53: 20803 [1au] Type65323? NLnetLabs.nl.dlv.verisignlabs.com. (62) 4500 005a a14b 0000 3f11 a9ba dced 62c5 41c9 af11 0d9c 0035 0046 024a 5143 0010 0001 0000 0000 0001 094e 4c6e 6574 4c61 6273 026e 6c03 646c 760c 7665 7269 7369 676e 6c61 6273 0363 6f6d 00ff 2b00 0100 0029 0800 0000 8000 0000 13:44:51.146830 65.201.175.17.53 > 220.237.98.197.3484: 20803*-% 2/2/7 Type65323, RRSIG (1472) (frag 1441:1480@0+) 4500 05dc 05a1 2000 2d11 31e3 41c9 af11 dced 62c5 0035 0d9c 0636 4b6f 5143 8410 0001 0002 0002 0007 094e 4c6e 6574 4c61 6273 026e 6c03 646c 760c 7665 7269 7369 676e 6c61 6273 0363 6f6d 00ff 2b00 01c0 0cff 2b00 0100 000e 1000 18ab 0f05 0181 ee88 356d f3c3 0775 4944 5ed2 fb1c 92ad c806 41c0 0c00 2e00 0100 000e 1000 a8ff 2b05 0500 000e 1042 c506 1242 9d79 1216 2203 646c 760c 7665 7269 7369 676e 6c61 6273 0363 6f6d 001e 5875 50a4 bdde 8799 365d e8e9 b3a7 cd7d 713d 1789 1715 4ff2 587e 1f1a 0b94 f3bf 2fa5 622d 82de 25ce d86f 486b 202a 22d6 35e2 29fc 715c dbe5 0245 c4d4 40e8 9a1e f9d5 9044 bb35 7b17 9ee9 6361 bc78 b9eb b338 f1b4 53ca 67fb dec1 f435 1969 116a eb12 0376 a710 a3cc 8c1c 59a2 93fe 23fa 698f 84af 6139 4eb6 4cb9 6f68 c2f1 89c0 7500 0200 0100 0151 8000 0603 6e73 31c0 75c0 7500 2e00 0100 0151 8000 a800 0205 0300 0151 8042 c506 1242 9d79 1216 2203 646c 760c 7665 7269 7369 676e 6c61 6273 0363 6f6d 007c 98b9 dc0b cae5 cb91 c504 7a03 033b f927 342b f8fd 1f1b 3778 cf05 d686 2c47 8134 692c ae12 89e7 0d80 73ab 3eb9 ed8f 62eb edd8 d78a f8f6 c267 92b4 bd1e b08f 28f4 4643 93d8 a888 645e 02a2 634b 70b9 a558 81f0 c7e0 762a e74c cda8 ef5b 2622 3da3 9cde 6e35 69a4 5313 a52b 4fe5 84c1 c4b1 5bc3 0485 c348 7638 146e 1d4f 163d cec1 1700 0100 0100 0151 8000 0441 c9af 11c1 1700 2e00 0100 0151 8000 a800 0105 0400 0151 8042 c506 1242 9d79 1216 2203 646c 760c 7665 7269 7369 676e 6c61 6273 0363 6f6d 009b 4ab5 f9f3 16af 71ab 4fe2 dd5c bdf4 7883 87b9 109d ebd9 b7e6 2875 c0b4 5514 59cf 636a bbc4 7704 f2c1 52d7 5ece a2e4 8a3a 4065 d6b0 af99 91b2 9a16 6642 67e8 a599 1cd7 3f1b 281d 999b 0472 516a 81d3 5855 84d5 ad0c 381e 383a db85 7526 0d7b 86d3 4f3f 675c cddf b919 f682 51ed 758d 78da c7e9 9169 f7d8 bac1 6c93 97ec 32e4 f3c1 ff00 3000 0100 000e 1000 8601 0003 0501 03bd 92d7 1198 4fea 5d6a 5ad9 c517 f35c 8ff7 a0cd 30b4 190e 0bba 0e78 6654 2702 226f 862c e73e 69e8 25c5 67f2 8484 e57f c376 8fbc 78d4 e976 f9db f3d6 2d50 af75 3dbc 7b13 20e2 0570 e584 e78b 22f4 e409 1a8f 5c59 ffdb d257 442b 81e2 3870 4c60 84a5 0bc0 51a5 7c7e 46cc 930e e942 641b e7ce 0501 d4ec 051f 8f7f 8c57 40a7 3772 f9c1 ff00 3000 0100 000e 1001 0801 0103 0503 0100 01bc 361d 912b 03a3 e94d 255d 11b7 6f63 5235 972d e04c 5021 24f0 2c0b ba1a b48a ff3f 7843 ab3e ec52 30f2 e2b5 4740 f363 2af4 0cbf 6bf4 02a4 f2af 292b cb4d a5f5 61a6 6ca6 63b1 7c8a db5f 4088 01ef 482e 384e c8ac 9083 7c20 fdbc 2a43 3509 683e d74f 056c f246 55b6 7738 7d65 7916 a99c 20a2 d99e 6ad1 d85e 7201 5059 a83f 16ea 47a2 a37b b278 9e62 c51d 6f2f fd64 ef5d 2c37 5078 bf71 267d 4256 d88c 7317 c1e7 f8ee 289f d5f5 b17b 588b 1d2c a968 a2da a789 2e36 723b 3218 6c31 b1f6 711d 0de6 1ff1 8e75 fd4a 9c6b 3c10 d067 a714 b2b4 9938 ab48 183f 9024 3403 d31b 48f5 29d9 9ad9 ff6f 8bac 1900 8615 91c4 0f2a eb01 4d86 d472 516b 2179 ca1a d3c7 1f70 a7cb 5bc1 ff00 2e00 0100 000e 1001 2800 3005 0300 000e 1042 c506 1242 9d79 1213 fd03 646c 760c 7665 7269 7369 676e 6c61 6273 0363 6f6d 0030 3507 d02a 02cf 82f8 955a 2ee0 d5e4 7e26 8d96 a350 a5cc 3342 f268 6cb5 ac7b bfa2 e24c 151b b56b 9c01 737f 9714 1f29 8cb4 39a2 8b41 ee3c 349a 20ce 2c0f d786 6cdd 7d9b 862e 6b2b b77e 47c6 e712 ec3c 590f 54be 9895 4da2 c16a 8c62 f4bc 446c d6f9 db38 29c3 907f d065 59a4 c864 62a2 44e9 6631 8a19 f9e1 65e4 eaef eb8e 0921 cfce dbcf e03b 9414 5878 1cc0 81ef d677 a1e3 2b9f 091b 7663 07b1 c71d f4ec ac01 a4a6 5337 0e8e d32b 804d cbcf e1f2 8158 03dc 26ad 91dd 8a1a 48ef 6bef b6d4 755b 8a80 4150 433f 0091 7975 af5b ec9b 6546 2471 6055 80cb 9917 303c 8569 bdbb a682 b13f 0fe7 0022 dec8 1b06 c8f5 7f6b 73c7 05a4 880b d3e6 6b84 3e87 51f7 13b9 02c2 9cc4 5900 2e00 0100 000e 1000 a800 3005 0300 000e 1042 c506 1242 9d79 1216 2203 646c 760c 7665 7269 7369 676e 6c61 6273 0363 6f6d 0090 a57c 2a85 5087 f829 4031 aa59 1211 2538 082e 6e21 d56e c0b9 d113 17d7 13:44:51.146887 65.201.175.17 > 220.237.98.197: udp (frag 1441:110@1480) 4500 0082 05a1 00b9 2d11 5684 41c9 af11 dced 62c5 d679 a96d 8e81 56e6 bddb d3a0 f32a 1ed9 6036 ed61 ee91 2577 060f 0239 ed0b 322a f7cc 4bca 088d 68b5 8aca 4910 7ed0 f810 d650 9d82 720f 938b 7a5d 3460 4a18 eb54 4860 92c3 72d3 e220 0b02 272d 8aa9 4e99 3cf4 c115 d9f6 e307 3443 d2f0 2001 768b 3f11 1900 0029 1000 0000 8000 0000 13:44:51.147093 220.237.98.197 > 65.201.175.17: icmp: net 192.168.191.236 unreachable 4500 0038 05a1 0000 4001 4497 dced 62c5 41c9 af11 0300 97b0 0000 0000 4500 0082 05a1 00b9 2d11 15a2 41c9 af11 c0a8 bfec d679 a96d 8e81 56e6 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506020401.j524199E090035>