Hi,
I saw an issue with fragment reassembling in 1.2-RELEASE when using
"Clear DF bit instead of dropping".
Test (both machines running linux os):
a) Machine A pings Machine B with 1328 bytes (MTU on A is 1356):
-> OK
b) Machine A pings Machine B with 1473 bytes (MTU on A is 1356):
-> OK
c) Machine A pings Machine B within 1329 to 1472 bytes (MTU on A is
1356):
-> Not OK
In a) the traffic hasn't been fragmented, because the size is in the
allowed MTU range.
In b) the traffic has been fragmented on side A and was put out on side
B's interface fragmented.
In c) the traffic has been fragmented on side A and was put out on side
B's interface not fragmented (reassembled, because MTU on side B is
1500) with bad cksum:
17:46:04.894889 IP (tos 0x0, ttl 62, id 43821, offset 0, flags [none],
proto: ICMP (1), length: 1500, bad cksum 453 (->3c3)!)
vpnadmin03.salzburgresearch.at > ubuntu.salzburgresearch.at: ICMP echo
request, id 12371, seq 2, length 1480
17:46:05.895166 IP (tos 0x0, ttl 62, id 59197, offset 0, flags [none],
proto: ICMP (1), length: 1500, bad cksum c842 (->c7b2)!)
vpnadmin03.salzburgresearch.at > ubuntu.salzburgresearch.at: ICMP echo
request, id 12371, seq 3, length 1480
17:46:06.895501 IP (tos 0x0, ttl 62, id 41040, offset 0, flags [none],
proto: ICMP (1), length: 1500, bad cksum f30 (->ea0)!)
vpnadmin03.salzburgresearch.at > ubuntu.salzburgresearch.at: ICMP echo
request, id 12371, seq 4, length 1480
17:46:07.896383 IP (tos 0x0, ttl 62, id 40535, offset 0, flags [none],
proto: ICMP (1), length: 1500, bad cksum 1129 (->1099)!)
vpnadmin03.salzburgresearch.at > ubuntu.salzburgresearch.at: ICMP echo
request, id 12371, seq 5, length 1480
17:46:08.896641 IP (tos 0x0, ttl 62, id 9593, offset 0, flags [none],
proto: ICMP (1), length: 1500, bad cksum 8a07 (->8977)!)
vpnadmin03.salzburgresearch.at > ubuntu.salzburgresearch.at: ICMP echo
request, id 12371, seq 6, length 1480
All checksums differ with a value of 144 (0x80 hex).
Is this behaviour known? Does it occur in 1.2.1, too?
BTW: If "Clear DF bit instead of dropping" isn't set, no packets are
coming through.
Regards,
P. Allgeyer
---------------------------------------------------------------------------
copyleft(c) by | "...Unix, MS-DOS, and Windows NT (also known
Peter Allgeyer | _-_ as the Good, the Bad, and the Ugly)." (By
| 0(o_o)0 Matt Welsh)
---------------oOO--(_)--OOo-----------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Commercial support available - https://portal.pfsense.org
