From owner-freebsd-pf@FreeBSD.ORG Thu May 31 13:49:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6FED616A421 for ; Thu, 31 May 2007 13:49:25 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id DBA7E13C447 for ; Thu, 31 May 2007 13:49:24 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id D9D6995857; Thu, 31 May 2007 10:49:23 -0300 (BRT) Date: Thu, 31 May 2007 10:49:23 -0300 From: Hugo Koji Kobayashi To: Max Laier Message-ID: <20070531134923.GH39552@registro.br> References: <20070528224225.GC40678@registro.br> <200705301002.04911.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <200705301002.04911.max@love2party.net> User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Cc: freebsd-pf@freebsd.org Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 13:49:25 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Max, Please find attached the tests results after enabling extended logging. I've done the test twice, changing dig's "+bufsize" parameter. Thanks, Hugo On Wed, May 30, 2007 at 10:02:03AM +0200, Max Laier wrote: > Hi Hugo, > > On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote: > > While making some tests with fragmented udp DNS responses (with > > EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and > > 7.0 (200705 snapshot). > > > > Our test is a DNS query to an DNSSEC enabled server which replies with > > a ~4KB udp response. We do this with the following dig command: > > > > dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 > > > > pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries > > timeout. Disabling the firewall, complete replies are received with no > > problem. The same test was run on an OpenBSD 4.1 box with no problem. > > > > Complete test results were sent to the freebsd-stable and freebsd-net > > mailing lists and can be found here: > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html > > > > (The email message above includes tests with ipf) > > > > > > pf rules looks like this in all tests: > > > > scrub in all fragment reassemble > > block drop in log all > > pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 > > port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA > > keep state > > pass out on bge0 proto udp all keep state > > pass out on bge0 proto icmp all keep state > > > > > > Am I doing something wrong? Is there anything else I should try on > > FreeBSD? > > Can you enable extended logging (pfctl -xm) and check your console for > messages? Also please check "pfctl -si" for counter increases. > > Thanks, > > -- > Max > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf-edns0-tests.txt" fbsd7# date; pfctl -si Tue May 8 04:12:25 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:02:28 Debug: Urgent Hostid: 0xfd3ea603 State Table Total Rate current entries 3 searches 335 2.3/s inserts 39 0.3/s removals 36 0.2/s Counters match 39 0.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# date ; pfctl -xm Tue May 8 04:13:00 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled debug level set to 'misc' fbsd7# date ; pfctl -si Tue May 8 04:13:10 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:03:13 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 3 searches 370 1.9/s inserts 39 0.2/s removals 36 0.2/s Counters match 39 0.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s fbsd7# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached ---- Console begin pf_normalize_ip: reass frag 11881 @ 0-1480 pf_normalize_ip: reass frag 11881 @ 1480-2960 pf_normalize_ip: reass frag 11881 @ 2960-4094 pf_reassemble: 4094 < 4094? pf_reassemble: complete: 0xc4338000(4114) ---- Console end fbsd7# date ; pfctl -si Tue May 8 04:15:24 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:05:27 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 3 searches 405 1.2/s inserts 40 0.1/s removals 37 0.1/s Counters match 40 0.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s # dig @192.36.144.107 se dnskey +dnssec +bufsize=4000 +retry=0 ; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4000 +retry=0 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached % ---- Console begin pf_normalize_ip: reass frag 12137 @ 0-1480 pf_normalize_ip: reass frag 12137 @ 1480-2960 pf_normalize_ip: reass frag 12137 @ 2960-3932 pf_reassemble: 3932 < 3932? pf_reassemble: complete: 0xc443b600(3952) ---- Console end fbsd7# date ; pfctl -si Tue May 8 04:17:02 BRT 2007 No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 00:07:05 Debug: Misc Hostid: 0xfd3ea603 State Table Total Rate current entries 5 searches 661 1.6/s inserts 42 0.1/s removals 37 0.1/s Counters match 42 0.1/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s --ew6BAiZeqk4r7MaW--