pf + scrub fragment reassemble + if_bridge = bad?
David Duchscher
daved at tamu.edu
Sat Apr 7 21:20:42 UTC 2007
On Apr 7, 2007, at 3:51 PM, Andrew Thompson wrote:
> On Sat, Apr 07, 2007 at 03:01:09PM -0500, David Duchscher wrote:
>> Ran into a problem the other day and wanted to drop a note and see
>> if I should followup with a PR. Running a box as a bridging firewall
>> and ran into problem with giant packets being reported by the router
>> on one end and OSPF routing dropping. Seems that once a packet is
>> reassembled by pf, it gets forward on through the bridge and out
>> onto the wire. In this case, it was an OSPF packet that ended up
>> being 1540 bytes long . Of course, turning off the scrub rules fix
>> the problem but I was wondering if this is expected behavior, a
>> bug, or has already been fix.
>>
>> The box is running 6.1-RELEASE i386. Network interfaces are em
>> gigabit interfaces with MTU at 1500.
>
> You are quite right and this has been fixed from 6.2. You will either
> need to upgrade to that or manually apply r1.11.2.31
Sweet and thanks. I swear I looked for a fix had already been committed
but obviously I missed it.
--
DaveD
More information about the freebsd-net
mailing list