Date: Wed, 5 Apr 2006 15:06:45 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Max Laier <max@love2party.net> Cc: Andrew Thompson <thompsa@freebsd.org>, freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? Message-ID: <20060405130645.GB5683@insomnia.benzedrine.cx> In-Reply-To: <200604051441.16865.max@love2party.net> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote:
> The other big problem that just crossed my mind: Reassembly in the bridge
> path!? It doesn't look like the current bridge code on either OS is ready to
> deal with packets > MTU coming out of the filter. The question here is
> probably how much IP processing we want to do in the bridge code?
OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted
ip_fragment() so it could be called from there, and not too much code
had to be duplicated.
if ((len - ETHER_HDR_LEN) > dst_if->if_mtu)
bridge_fragment(sc, dst_if, &eh, m);
else {
...
bridge_ifenqueue(sc, dst_if, m);
...
}
bridge_fragment()
error = ip_fragment(m, ifp, ifp->if_mtu);
if (error) {
m = NULL;
goto dropit;
}
for (; m; m = m0) {
m0 = m->m_nextpkt;
m->m_nextpkt = NULL;
...
error = bridge_ifenqueue(sc, ifp, m);
...
}
That's one more layer violation in bridge, but stateful filtering
basically requires fragment reassembly, at least in general.
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060405130645.GB5683>