Re: PF IPv6 fragments handling

2015-03-16 Thread Kristof Provost
On 2015-03-16 09:51:55 (-0400), Eric van Gyzen wrote: > Here is a brainstorm that might give the best of both: Return the > reassembled packet from PFIL_IN, but with the original fragment chain > stashed in metadata. Most of the stack operates on the single, > reassembled packet. ip6_output() s

Re: PF IPv6 fragments handling

2015-03-16 Thread Eric van Gyzen
On 03/13/2015 22:05, Kristof Provost wrote: > At that point we run into the packet size check, which in ip6_forward() > is done before the pfil(PFIL_OUT) hook. That means that we'll send an > ICMP6_PACKET_TOO_BIG error rather than forwarding the packet. > > The proposed fix in D1815 is to simply m

Re: PF IPv6 fragments handling

2015-03-13 Thread Kristof Provost
On 2015-02-10 00:24:16 (+0100), Kristof Provost wrote: > On 2015-02-03 21:25:20 (+0100), Kristof Provost wrote: > > Two of my systems are currently running them, seemingly without > > problems. > > > The initial patch set had problems refragmenting in forwarding > scenarios. That should be fixed

Re: IPv6 fragments handling

2014-12-28 Thread Ilya Bakulin
On 22.12.14, 17:59, 神明達哉 wrote: > At Sat, 20 Dec 2014 23:40:37 +0100, > Ilya Bakulin wrote: > >> But what we do is just silently discarding the overlapping segment, see [2]. >> When using PF with fragment reassembly, the behavior changes to what RFC >> says >> and the packet is completely dropped.

Re: IPv6 fragments handling

2014-12-22 Thread 神明達哉
At Sat, 20 Dec 2014 23:40:37 +0100, Ilya Bakulin wrote: > But what we do is just silently discarding the overlapping segment, see [2]. > When using PF with fragment reassembly, the behavior changes to what RFC > says > and the packet is completely dropped. > > There is no security issue with curr

IPv6 fragments handling

2014-12-20 Thread Ilya Bakulin
Hi list, I've been running OpenBSD IPv6 fragmentation tests (regress/sys/netinet6/frag6) and noticed that FreeBSD doesn't drop the IPv6 packet if it receives a fragment that partially overlaps with already received data. The test that fails is frag6_overhead0.py, but also frag6_overhead.py. Ther

Re: PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in ip[6]_output)

2014-12-18 Thread Kristof Provost
On 2014-12-18 11:29:01 (+0100), Ilya Bakulin wrote: > On 2014-11-09 21:15, Kristof Provost wrote: > > On 2014-11-09 14:30:55 (+0100), Ilya Bakulin wrote: > >> On 07.11.14, 14:31, Kristof Provost wrote: > > You can find the patch series here: > > http://www.sigsegv.be/files/pf_inet6_frag.tar > > a

PF IPv6 fragments handling (was: Re: Checksumming outgoing packets in PF vs in ip[6]_output)

2014-12-18 Thread Ilya Bakulin
On 2014-11-09 21:15, Kristof Provost wrote: On 2014-11-09 14:30:55 (+0100), Ilya Bakulin wrote: On 07.11.14, 14:31, Kristof Provost wrote: You can find the patch series here: http://www.sigsegv.be/files/pf_inet6_frag.tar and everything in one big patch here: http://www.sigsegv.be/files/pf_inet