[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF/NAT UDP fragment problem



On Fri, 07 Mar 2003, Daniel Hartmeier wrote:
> Your ruleset looks fine, that's exactly how it should work (rdr on
> external, nat on internal, scrub on both).
That's good to know.  Would "scrub in all" work just as well as "scrub
in on {$ExtIf, $IntIf} all fragment reassemble"?
> It must be somehow related to the fragmentation. For some reason, the pf
> box is not reassembling the fragments. To determine the reason, can you
> 
>   a) enable debug logging with pfctl -x m, and check /var/log/messages
>      for entries related to pf fragment reassembly? Ideally, quote all
>      lines related to one packet's fragments being reassembled.
A few of these lines were repeated in /var/log/messages.  Here they are
without the repeats.
pf_normalize_ip: IP_DF
pf_normalize_ip: dropping bad fragment
Mar  7 15:20:02 reflect /bsd: pf_normalize_ip: IP_DF
Mar  7 15:20:02 reflect /bsd: pf_normalize_ip: dropping bad fragment
> 
>   b) get a tcpdump -nvvvXSpi $IntIF output from the pf box for all
>      fragments of a single packet.
> 
> One possible explanation would be if the fragments have the DF (don't
> fragment) flag set. 
Indeed, it does.  I took a look at the tcpdump and the fragments do have
the DF flag set.  
> pf, prior to -current as of a few weeks ago, drops
> them unconditionally. If that's the problem, you could try a snapshot
> (which is stable, now that we approach 3.3-release). If not, hopefully
> the additional output from above shows something.
Excellent.  Thank you for the help.  I'll try -current and see how that
turns out.  If it's still a problem, I'll include the dumped packets,
but I think you found the issue.
Thanks again,
pete