Dummynet Broke fragmets in 5.x and 6.x

[Atanas Yankov]

This problem exist in 5.x and 6.x implementations i wrote the email to 
luiggi for this problem
but no answer yet , there is a problem with fragmented traffic that 
going throut pipes,
dummynet  whithout a problem change the ids of the framents and with 
this prevent
reassembling of the fragments , this is true not only for icmp udp icmp 
its true for all ip traffic.

br,
CCNP Atanas Yankov
Network Administrator
AngelSoft Ltd.

Alvaro Saurin wrote:

>
> On 5 Dec 2005, at 14:41, Spadge wrote:
>
>> Alvaro Saurin wrote:
>>
>>> The problem comes here: if I 'ping'  between these two machines,   
>>> everything is fine, but if I 'ping' with a packet size of, ie,  
>>> 2000,  no packets arrive at the receiver. Does it have to do with  
>>> fragmented  packets? Do I have to include any other rule for  
>>> dealing with fragments?
>>
>>
>> 65100      0        0 deny log logamount 5000 ip from any to any frag
>>
>> Does this not effectively kill all frags? Are your unreceived  
>> packets showing up in the log? And if not, are you sure that it's  
>> BSD4 that's losing them, and not ubuntu3?
>>
>> Here's how my firewall handles frags:
>>
>> # Allow IP fragments to pass through
>> /sbin/ipfw add pass all from any to any frag
>>
>> You may also want to set up something similar to handle ICMP.
>>
>> I've not used dummynet pipes in ages, I wonder if setting a larger  
>> queue would help with my disconnect problems, or whether I really  do 
>> just need to give up and reinstall the entire OS.
>
>
> Thank you, you're right, but adding something like 'pass all from any  
> to any frag' does not put the IICMP packets through the dummynet  
> pipe. I am not specially interested in 'ping's, but it happens the  
> same for UDP traffic...
>
> The problem is that, if I put ICMP/UDP/etc traffic through a pipe, it  
> doesn't work when packets are fragmented. And letting fragments out  
> of the pipe does not improve things...
>
> Any idea? Thanks.
>
> Alvaro
>