From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 10:29:03 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6965CC21; Thu, 18 Dec 2014 10:29:03 +0000 (UTC) Received: from olymp.kibab.com (olymp6.kibab.com [IPv6:2a01:4f8:160:84c1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 27A401B08; Thu, 18 Dec 2014 10:29:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 olymp.kibab.com 3153475917 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bakulin.de; s=default; t=1418898541; bh=tTIS78KgNYB0Ry/huntuVgYEZZoPnx05ElBXxBi4J/A=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=SP6PGB7w/GMHU4j/6fAkhoD8wnKsSuaIo3bfwet/Dsm1eoxmQ6m6BSdRf9mCk2R1j g2Eq92da2WElqufhFLGRXC1FBiveShSksIKRB8nhll1PtzjRkMf5fwdm9gkSaLKVDr BQUhBo8+QgqtYzkZcJzmZbWyDIy3YH3UHjtzrnVU= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 18 Dec 2014 11:29:01 +0100 From: Ilya Bakulin To: Kristof Provost Subject: PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in =?UTF-8?Q?ip=5B=36=5D=5Foutput=29?= Organization: Deglitch Networks In-Reply-To: <20141109201557.GH2044@vega.codepro.be> References: <1415210423.3394438.187470637.21CD8D3D@webmail.messagingengine.com> <9355b23f1a07008eca61f16ebd828d0b@mail.bakulin.de> <20141107133101.GF2044@vega.codepro.be> <545F6C8F.6010700@bakulin.de> <20141109201557.GH2044@vega.codepro.be> Message-ID: <694672ef2ebe8adb6badcd4b059942c1@mail.bakulin.de> X-Sender: ilya@bakulin.de Cc: freebsd-net@freebsd.org, clusteradm@freebsd.org, Mark Felder , freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 10:29:03 -0000 On 2014-11-09 21:15, Kristof Provost wrote: > On 2014-11-09 14:30:55 (+0100), Ilya Bakulin wrote: >> On 07.11.14, 14:31, Kristof Provost wrote: > You can find the patch series here: > http://www.sigsegv.be/files/pf_inet6_frag.tar > and everything in one big patch here: > http://www.sigsegv.be/files/pf_inet6_frag.patch > > It's not cleaned up yet, or even extensively tested. > Basically the only testing that's been done is setting up a pf config > to > drop all traffic except icmp echo requests, and then sending out > fragmented icmp echo requests. Without the patch those get dropped, > with > the patch they make it through the firewall. > I've done some quick flood ping testing, so I'm reasonably confident it > doesn't leak mbufs. > > I started from the OpenBSD work, and imported and adjusted their inet6 > defragmentation patches. > > Regards, > Kristof Hi Kristof, I have tested your patchset and it works! Apart from testing with fragmented ICMPv6 requests, I've performed an UDP test using Scapy: >>> pkt=IPv6(dst="fdf9:37e3:7c53::100:2")/IPv6ExtHdrFragment()/UDP(dport=8000)/("a" >>> * 10000) >>> pktlist = fragment6(pkt, 1000) >>> send(pktlist) fdf9:37e3:7c53::100:2 in this case is the address of my FreeBSD 11-CURRENT VM running with your patch. sending pktlist on wire results in 11 packets being sent, they all get reassembled by PF and I can receive the data if I start nc on UDP port 8000. What I want to do is to do the test with overlapping fragments (that should be dropped because overlapping IPv6 fragments are forbidden) and maybe some other non-typical packets. At this poing I would like to ask clusteradm@ (CC'ed) to at least look at this patchet. The distinction between CROP and DROP that was dropped upstream is IMHO not important :-) I highly doubt that it makes any difference to anyone, and parcticularly at FreeBSD cluster. On the other hand, clusteradm@ people have complained about missing IPv6 fragment support -- so here is the solution. -- Ilya