Bug 197648 - ipfw reass ineffective after upgrade to 10.1
Summary: ipfw reass ineffective after upgrade to 10.1
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.1-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-ipfw mailing list
Keywords: regression
Depends on:
Reported: 2015-02-14 17:32 UTC by Richard Smith
Modified: 2015-03-10 01:49 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Richard Smith 2015-02-14 17:32:21 UTC
Just upgraded a bridging firewall from 10.0 to 10.1-RELEASE-p5. The first rule is:
 reass all from any to any in

The only time I receive fragmented UDP packets is when my DNS server attempts to resolve www.freebsd.org, as it returns large UDP packets which are fragmented over my broadband connection:

17:09:54.182826 IP > 36047 [1au] A? wfe0.ysv.freebsd.org. (49)
17:09:54.202100 IP > 36047*- 2/4/11 A, RRSIG (1424)

I added the reass rule in 10.0 and it's been working perfectly. I upgraded to 10.1-RELEASE-p5 and everything else works as expected except that www.freebsd.org does not resolve.

I added:
 allow ip from any to any frag

...just after the check-state rule, and that fixed the problem (but only after the reass rule was first deleted).

It seems that the reass rule is absorbing fragments but not passing them perhaps. This bridging firewall only sees IPv4 traffic. Tcpdump shows the response packet on the external interface and the bridge interface, but not the internal interface.

A sanitised version of the rules are here: http://rdls.net/dl/bridge/rc.firewall.local

uname -a:
 FreeBSD motoko.rdls.net 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27 08:55:07 UTC 2015     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64