Re: possible regression handling packet fragmentation in 14.0 with tftp/pxe

In reply to: Dag-Erling_Smørgrav : "Re: possible regression handling packet fragmentation in 14.0 with tftp/pxe"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gerrit Kühn <gerrit.kuehn_at_aei.mpg.de>
Date: Fri, 21 Jun 2024 09:14:28 UTC

Am Wed, 24 Apr 2024 22:20:07 +0200
schrieb Dag-Erling Smørgrav <des@FreeBSD.org>:

Hello,

I'd like to share my experiences after updating my first router to FreeBSD
14.1:
After updating, the tftp transfers still didn't work. I tried all possible
settings of

set reassemble yes
set reassemble yes no-df
scrub in all
scrub in all fragment reassemble
scrub in all fragment reassemble no-df

Nothing worked. The only thing that did help was disabling larger packet
sizes than 512 bytes by disabling tftp option extensions on the server side
(adding the "-o" option to tftpd), but this is rather a work-around than a
proper fix, of course.

Only after re-reading the release notes of 14.0 I found that I had
completely missed another important change:

---
Layer 3 filtering on if_bridge(4) will do surprising things which aren’t
fail-safe, so net.link.bridge.pfil_member and net.link.bridge.pfil_bridge
now default to zero.
---

As my tinc setup involves bridging one of the routers physical interfaces
with the virtual tap device of the vpn, this change obviously caused pf to
keep its fingers off all filtering (I wonder a bit what kind of surprises
are meant here - I have been using this kind of setup since at least
FreeBSD 7 and cannot remember any).

Anyway, after setting both values back to the old default (1), I can
confirm that both

"scrub in all"

and

"set reassemble yes"

make the tftp transfer work again now as expected. Hooray!

As moving on to the never pf.conf settings is probably a good thing, I
wonder if the two lines are mutually exchangable, i.e., does "scrub in
all" do anything beyond what "set reassemble yes" does?

In any case, special thanks again to DES and Matthew for pointing me into
the right direction.

cu
  Gerrit

> Gerrit Kühn <gerrit.kuehn@aei.mpg.de> writes:
> > Is there an easy way to find out where this commit ends up, i.e.,
> > whether it is merged into 14.0, 14.1 or so?  
> 
> I will make sure it gets into 14.1.
> 
> DES