Re: pgt prevents pf from scrubbing?

[Daniel Melameth]

I was able to reproduce this issue with a clean installation of 4.2 as
wellso long as the AP uses pgt, pf's scrub is broken.  Thoughts?

On 10/31/07, Daniel Melameth <[EMAIL PROTECTED]> wrote:
> I recently changed my 4.1-stable AP from ral to pgt only to find pf not
> scrubbing packets anymore.  To make this confusion more simple, I made a
> temporary simple pf.conf:
>
> $ sudo cat /etc/pf.conf
> external_if = "pppoe0"
>
> set debug loud
>
> scrub in on $external_if all
> scrub out on $external_if all max-mss 1452
>
> nat on $external_if from ! $external_if -> ( $external_if )
>
> block in log on $external_if
>
> pass out quick on $external_if inet proto tcp to any
> pass out quick on $external_if inet proto { udp, gre, icmp } to any
>
> block out log on $external_if
>
>
> With this ruleset I now have the following:
>
> $ sudo pfctl -vvs rules
> @0 scrub in on pppoe0 all fragment reassemble
>  [ Evaluations: 2051      Packets: 292       Bytes: 45542       States: 0
> ]
>  [ Inserted: uid 0 pid 10012 ]
> @1 scrub out on pppoe0 all max-mss 1452 fragment reassemble
>  [ Evaluations: 236       Packets: 236       Bytes: 9859        States: 0
> ]
>  [ Inserted: uid 0 pid 10012 ]
> @0 block drop in log on pppoe0 all
>  [ Evaluations: 831       Packets: 4         Bytes: 1092        States: 0
> ]
>  [ Inserted: uid 0 pid 10012 ]
> @1 pass out quick on pppoe0 inet proto tcp all flags S/SA keep state
>  [ Evaluations: 32        Packets: 242       Bytes: 55041       States: 7
> ]
>  [ Inserted: uid 0 pid 10012 ]
> @2 pass out quick on pppoe0 inet proto udp all keep state
>  [ Evaluations: 19        Packets: 23        Bytes: 3049        States: 3
> ]
>  [ Inserted: uid 0 pid 10012 ]
> @3 pass out quick on pppoe0 inet proto gre all keep state
>  [ Evaluations: 7         Packets: 0         Bytes: 0           States: 0
> ]
>  [ Inserted: uid 0 pid 10012 ]
> @4 pass out quick on pppoe0 inet proto icmp all keep state
>  [ Evaluations: 7         Packets: 0         Bytes: 0           States: 0
> ]
>  [ Inserted: uid 0 pid 10012 ]
> @5 block drop out log on pppoe0 all
>  [ Evaluations: 7         Packets: 7         Bytes: 280         States: 0
> ]
>  [ Inserted: uid 0 pid 10012 ]
>
>
> However, a simple visit to a web site when using pgt shows scrub is not
> scrubbing as my mss is 1460:
>
> $ sudo tcpdump -ni pppoe0 port 80
> tcpdump: listening on pppoe0, link-type PPP_ETHER
> 12:05:46.892243 x.y.101.219.58561 > 64.37.182.61.80: S
> 2341795589:2341795589(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
> (DF)
> 12:05:46.969268 64.37.182.61.80 > x.y.101.219.58561: S
> 3585146952:3585146952(0) ack 2341795590 win 8190 <mss 1460>
> 12:05:46.970368 x.y.101.219.58561 > 64.37.182.61.80: . ack 1 win 17520 (DF)
> 12:05:46.970902 x.y.101.219.58561 > 64.37.182.61.80: P 1:642(641) ack 1 win
> 17520 (DF)
> 12:05:47.056958 64.37.182.61.80 > x.y.101.219.58561: P 1:636(635) ack 642
> win 19200 (DF)
> 12:05:47.060172 x.y.101.219.58561 > 64.37.182.61.80: P 642:1347(705) ack
636
> win 16885 (DF)
> 12:05:47.151883 64.37.182.61.80 > x.y.101.219.58561: P 3556:3780(224) ack
> 1347 win 8190
> 12:05:47.152153 64.37.182.61.80 > x.y.101.219.58561: P 2096:2100(4) ack
1347
> win 8190 (frag 55634:[EMAIL PROTECTED])
> 12:05:47.153298 x.y.101.219.58561 > 64.37.182.61.80: . ack 636 win 16885
> (DF)
> 12:05:47.156386 x.y.101.219.58561 > 64.37.182.61.80: . ack 636 win 16885
> (DF)
>
>
> But if I simply put the ral card back and reboot, scrub works again-and
this
> is reproducible.
>
> $ sudo tcpdump -ni pppoe0 port 80
> tcpdump: listening on pppoe0, link-type PPP_ETHER
> 11:14:32.100411 x.y.115.226.53842 > 64.37.182.61.80: S
> 3135555284:3135555284(0) win 8192 <mss 1452,nop,wscale 2,nop,nop,sackOK>
> (DF)
> 11:14:32.176738 64.37.182.61.80 > x.y.115.226.53842: S
> 2437399687:2437399687(0) ack 3135555285 win 8190 <mss 1452>
> 11:14:32.177300 x.y.115.226.53842 > 64.37.182.61.80: . ack 1 win 17424 (DF)
> 11:14:32.177661 x.y.115.226.53842 > 64.37.182.61.80: P 1:642(641) ack 1 win
> 17424 (DF)
> 11:14:32.263894 64.37.182.61.80 > x.y.115.226.53842: P 1:636(635) ack 642
> win 32767 (DF)
> 11:14:32.266375 x.y.115.226.53842 > 64.37.182.61.80: P 642:1347(705) ack
636
> win 16789 (DF)
> 11:14:32.360790 64.37.182.61.80 > x.y.115.226.53842: P 636:2088(1452) ack
> 1347 win 8190 (DF)
> 11:14:32.361099 64.37.182.61.80 > x.y.115.226.53842: P 3540:3773(233) ack
> 1347 win 8190
>
>
> I don't get it.  I haven't had much sleep, but what's missing here?  The
> hostname.if for the ral and pgt cards are identical.
>
>
> For what it's worth, here's the output from pf debug load during the
session
> when using the pgt card:
>
> Oct 31 12:05:46 meth /bsd: pf_map_addr: selected address x.y.101.219
> Oct 31 12:05:47 meth /bsd: pf_normalize_ip: reass frag 21209 @ 0-24
> Oct 31 12:05:47 meth /bsd: pf_normalize_ip: reass frag 21209 @ 24-1480
> Oct 31 12:05:47 meth /bsd: pf_reassemble: 1480 < 1480?
> Oct 31 12:05:47 meth /bsd: pf_reassemble: complete: 0xd6aeb100(1500)