Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Apr 2006 09:39:31 -0400
From:      Adam McDougall <mcdouga9@egr.msu.edu>
To:        Daniel Hartmeier <daniel@benzedrine.cx>
Cc:        Andrew Thompson <thompsa@freebsd.org>, freebsd-pf@freebsd.org
Subject:   Re: broken ip checksum after frag reassemble of nfs READDIR?
Message-ID:  <20060405133930.GV14961@egr.msu.edu>
In-Reply-To: <20060405130645.GB5683@insomnia.benzedrine.cx>
References:  <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx>
index | next in thread | previous in thread | raw e-mail 

On Wed, Apr 05, 2006 at 03:06:45PM +0200, Daniel Hartmeier wrote:

  On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote:
  
  > The other big problem that just crossed my mind:  Reassembly in the bridge 
  > path!?  It doesn't look like the current bridge code on either OS is ready to 
  > deal with packets > MTU coming out of the filter.  The question here is 
  > probably how much IP processing we want to do in the bridge code?

This is also something I came across while evaluating pf+if_bridge on
FreeBSD.  NFS fragment reassembly was the first repeatable offender,
and then I found I could wedge the outgoing interface in OACTIVE with
a simple ping -s 8000.  I've also seen my internal interface wedge in
OACTIVE mode after several (10+?) ruleset reloads, with unapparent
cause.  

  
  OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted
  ip_fragment() so it could be called from there, and not too much code
  had to be duplicated.
  
          if ((len - ETHER_HDR_LEN) > dst_if->if_mtu)
                  bridge_fragment(sc, dst_if, &eh, m);
          else {
  		...
                  bridge_ifenqueue(sc, dst_if, m);
  		...
          }
  
    bridge_fragment()
  
          error = ip_fragment(m, ifp, ifp->if_mtu);
          if (error) {
                  m = NULL;
                  goto dropit;
          }
          
          for (; m; m = m0) {
                  m0 = m->m_nextpkt;
                  m->m_nextpkt = NULL;
  		...
  		error = bridge_ifenqueue(sc, ifp, m);
  		...
  	}
  
  That's one more layer violation in bridge, but stateful filtering
  basically requires fragment reassembly, at least in general.
  
  Daniel
  _______________________________________________
  freebsd-pf@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-pf
  To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060405133930.GV14961>