Page MenuHomeFreeBSD

pf tests: Test scrub fragment reassemble on interfaces with different MTU
ClosedPublic

Authored by kp on Apr 27 2021, 6:49 PM.
Tags
None
Referenced Files
F108595242: D30013.id88408.diff
Sun, Jan 26, 6:24 PM
Unknown Object (File)
Sun, Jan 19, 10:45 PM
Unknown Object (File)
Wed, Jan 1, 5:17 PM
Unknown Object (File)
Mon, Dec 30, 5:43 PM
Unknown Object (File)
Sun, Dec 29, 5:17 PM
Unknown Object (File)
Sat, Dec 28, 5:03 PM
Unknown Object (File)
Dec 27 2024, 10:34 AM
Unknown Object (File)
Dec 11 2024, 9:55 PM

Details

Summary

There's a problem with pf's reassembly code where it produces incorrect
checksums when reassembling across interfaces with different MTUs.
Test this.

PR: 255432
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp requested review of this revision.Apr 27 2021, 6:49 PM

How do you ensure, that the packet is indeed reassembled by pf and not by the receiving stack?

There's no explicit verification for that here. I suppose that if pf did nothing at all this test would still pass.
Happily I know it does actually do something, because it fails right now.

I suppose we could verify the counters on the scrub rule, but that would still only confirm that pf counted the packets and not that it actually reassembled the packet.
The primary intent of this test is to ensure that this configuration actually works, so it doesn't matter much if pf sends out an 8k packet or reassembles and refragments (as it'd do for IPv6).

Can you add a rule to drop fragments in jail "second"?

Can you add a rule to drop fragments in jail "second"?

Interesting idea, but no, pf doesn't look at the fragmentation flag. Not for filtering anyway.

This revision is now accepted and ready to land.Apr 29 2021, 12:45 PM