Date: Wed, 5 Apr 2006 15:06:45 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Max Laier <max@love2party.net> Cc: Andrew Thompson <thompsa@freebsd.org>, freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? Message-ID: <20060405130645.GB5683@insomnia.benzedrine.cx> In-Reply-To: <200604051441.16865.max@love2party.net> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote: > The other big problem that just crossed my mind: Reassembly in the bridge > path!? It doesn't look like the current bridge code on either OS is ready to > deal with packets > MTU coming out of the filter. The question here is > probably how much IP processing we want to do in the bridge code? OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted ip_fragment() so it could be called from there, and not too much code had to be duplicated. if ((len - ETHER_HDR_LEN) > dst_if->if_mtu) bridge_fragment(sc, dst_if, &eh, m); else { ... bridge_ifenqueue(sc, dst_if, m); ... } bridge_fragment() error = ip_fragment(m, ifp, ifp->if_mtu); if (error) { m = NULL; goto dropit; } for (; m; m = m0) { m0 = m->m_nextpkt; m->m_nextpkt = NULL; ... error = bridge_ifenqueue(sc, ifp, m); ... } That's one more layer violation in bridge, but stateful filtering basically requires fragment reassembly, at least in general. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060405130645.GB5683>