[ previous ] [ next ] [ threads ]
 
 From:  "Frank Edwards" <fedwards at internode dot on dot net>
 To:  "'Manuel Kasper'" <mk at neon1 dot net>
 Cc:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] 1.3b2 - IP fragments not passed
 Date:  Sun, 29 Jul 2007 16:47:01 +1000
Hi Manuel,

You're right. I've updated the patch (below) to handle this. "Allow
fragmented packets" option must be enabled on m0n0wall firewall rules on
each interface to ensure fragments are passed.

I'm not sure if this is the most elegant place in the code to apply this,
but it seems to be effective. I didn't want to modify fr_addstate as it is
called from different parts of the code. I suspect it may be something
specific to FreeBSD 6.

Let me know how this goes?

--- fil.c.orig	Sat Jul 21 10:38:29 2007
+++ fil.c	Sun Jul 29 15:48:49 2007
@@ -2488,7 +2489,8 @@
 	 * Here rather than fr_firewall because fr_checkauth may decide
 	 * to return a packet for "keep state"
 	 */
-	if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
+	if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE) &&
+		!((fin->fin_flx & FI_FRAGBODY) && (pass & FR_KEEPFRAG))) {
 		if (fr_addstate(fin, NULL, 0) != NULL) {
 			ATOMIC_INCL(frstats[out].fr_ads);
 		} else {

Cheers

Frank

-----Original Message-----
From: Manuel Kasper [mailto:mk at neon1 dot net] 
Sent: Sunday, 29 July 2007 4:51 AM
To: Frank Edwards
Cc: m0n0wall dash dev at lists dot m0n0 dot ch
Subject: Re: [m0n0wall-dev] 1.3b2 - IP fragments not passed

Hi Frank,

I've now actually tested your fix, and it really makes fragmented packets
work again. However, now they are passed even when the corresponding
firewall rule doesn't have the "Allow fragmented packets" option (= keep
frags in ipfilter) set. Did you observe the same behavior?

Thanks,

Manuel

On 21.07.2007, at 03:24, Frank Edwards wrote:

> Gday
>
> I've taken a look at the fragment bug with 1.3b2 and tracked this  
> down to
> the following fix.
>
> What I observe is that IP packets marked as fragments, with offsets  
> not
> equal to zero (i.e. marked by ipfilter with flag FI_FRAGBODY)  
> arrive on the
> WAN interface OK but are dropped by ipfilter in function fr_check()  
> (fil.c).
> Net result - connections hang when inbound fragmentation is occurring.
>
> This occurs when the call to fr_addstate() is made, even though the  
> packet's
> forwarding rule has been set to pass by the NAT & firewall processing.
> fr_addstate() will always return NULL for any packet passed with
> FI_FRAGBODY. fr_check then blocks these packets based on the NULL  
> return
> from fr_addstate.
>
> So the proposed fix is as follows (this is patched against the
> monowall-patched fil.c).
>
> I've tested this fix using 1.3b2 based on RELENG_6_2.
>
> --- fil.c.orig Sat Jul 21 10:38:29 2007
> +++ fil.c Sat Jul 21 10:38:55 2007
> @@ -2488,7 +2488,7 @@
>    * Here rather than fr_firewall because fr_checkauth may decide
>    * to return a packet for "keep state"
>    */
> - if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
> + if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE) && !(fin- 
> >fin_flx
> & FI_FRAGBODY)) {
>    if (fr_addstate(fin, NULL, 0) != NULL) {
>     ATOMIC_INCL(frstats[out].fr_ads);
>    } else {
>
>
> Regards
>
> Frank
>


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch