udp fragmentation
Hugo Koji Kobayashi
koji at registro.br
Thu May 31 13:49:25 UTC 2007
Hi Max,
Please find attached the tests results after enabling extended
logging.
I've done the test twice, changing dig's "+bufsize" parameter.
Thanks,
Hugo
On Wed, May 30, 2007 at 10:02:03AM +0200, Max Laier wrote:
> Hi Hugo,
>
> On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote:
> > While making some tests with fragmented udp DNS responses (with
> > EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and
> > 7.0 (200705 snapshot).
> >
> > Our test is a DNS query to an DNSSEC enabled server which replies with
> > a ~4KB udp response. We do this with the following dig command:
> >
> > dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
> >
> > pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries
> > timeout. Disabling the firewall, complete replies are received with no
> > problem. The same test was run on an OpenBSD 4.1 box with no problem.
> >
> > Complete test results were sent to the freebsd-stable and freebsd-net
> > mailing lists and can be found here:
> >
> > http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html
> >
> > (The email message above includes tests with ipf)
> >
> >
> > pf rules looks like this in all tests:
> >
> > scrub in all fragment reassemble
> > block drop in log all
> > pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87
> > port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA
> > keep state
> > pass out on bge0 proto udp all keep state
> > pass out on bge0 proto icmp all keep state
> >
> >
> > Am I doing something wrong? Is there anything else I should try on
> > FreeBSD?
>
> Can you enable extended logging (pfctl -xm) and check your console for
> messages? Also please check "pfctl -si" for counter increases.
>
> Thanks,
>
> --
> Max
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
-------------- next part --------------
fbsd7# date; pfctl -si
Tue May 8 04:12:25 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:02:28 Debug: Urgent
Hostid: 0xfd3ea603
State Table Total Rate
current entries 3
searches 335 2.3/s
inserts 39 0.3/s
removals 36 0.2/s
Counters
match 39 0.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
fbsd7# date ; pfctl -xm
Tue May 8 04:13:00 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
debug level set to 'misc'
fbsd7# date ; pfctl -si
Tue May 8 04:13:10 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:03:13 Debug: Misc
Hostid: 0xfd3ea603
State Table Total Rate
current entries 3
searches 370 1.9/s
inserts 39 0.2/s
removals 36 0.2/s
Counters
match 39 0.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
fbsd7# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
---- Console begin
pf_normalize_ip: reass frag 11881 @ 0-1480
pf_normalize_ip: reass frag 11881 @ 1480-2960
pf_normalize_ip: reass frag 11881 @ 2960-4094
pf_reassemble: 4094 < 4094?
pf_reassemble: complete: 0xc4338000(4114)
---- Console end
fbsd7# date ; pfctl -si
Tue May 8 04:15:24 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:05:27 Debug: Misc
Hostid: 0xfd3ea603
State Table Total Rate
current entries 3
searches 405 1.2/s
inserts 40 0.1/s
removals 37 0.1/s
Counters
match 40 0.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
# dig @192.36.144.107 se dnskey +dnssec +bufsize=4000 +retry=0
; <<>> DiG 9.3.4 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4000 +retry=0
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
%
---- Console begin
pf_normalize_ip: reass frag 12137 @ 0-1480
pf_normalize_ip: reass frag 12137 @ 1480-2960
pf_normalize_ip: reass frag 12137 @ 2960-3932
pf_reassemble: 3932 < 3932?
pf_reassemble: complete: 0xc443b600(3952)
---- Console end
fbsd7# date ; pfctl -si
Tue May 8 04:17:02 BRT 2007
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:07:05 Debug: Misc
Hostid: 0xfd3ea603
State Table Total Rate
current entries 5
searches 661 1.6/s
inserts 42 0.1/s
removals 37 0.1/s
Counters
match 42 0.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
More information about the freebsd-pf
mailing list