Don't drop fragmented packets when reassembly is disabled, they can be matched by rules with "fragment" keyword. Ensure that presence of scrub rules forces old behaviour.
Details
Details
- Reviewers
kp - Commits
- rGede5d4ff5b39: pf: Fix packet reassembly
D42354 is needed for tests. I kindly ask you to run the tests because I ran into some issues with my testing environment. I was able to "debug" each of tests in this patch, though. The patch was written against 14-STABLE, I don't have a 15 environment yet and I believe this fix is quite important.
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
I've not yet investigated why, but I'm seeing a lot of failures with both of these patches:
fragmentation_compat:reassemble -> failed: atf-check failed; see the output of the test for details [1.535s] fragmentation_no_reassembly:match_fragment_v4 -> failed: atf-check failed; see the output of the test for details [4.429s] fragmentation_no_reassembly:match_full_v4 -> failed: atf-check failed; see the output of the test for details [4.646s] fragmentation_pass:no_df -> failed: atf-check failed; see the output of the test for details [6.014s] fragmentation_pass:overindex -> failed: atf-check failed; see the output of the test for details [7.288s] fragmentation_pass:overreplace -> failed: atf-check failed; see the output of the test for details [5.086s] fragmentation_pass:reassemble -> failed: atf-check failed; see the output of the test for details [1.891s] fragmentation_pass:too_many_fragments -> failed: atf-check failed; see the output of the test for details [0.266s] killstate:gateway -> failed: atf-check failed; see the output of the test for details [7.032s] killstate:id -> failed: atf-check failed; see the output of the test for details [6.784s] killstate:interface -> failed: atf-check failed; see the output of the test for details [5.782s] killstate:label -> failed: atf-check failed; see the output of the test for details [6.473s] killstate:multilabel -> failed: atf-check failed; see the output of the test for details [6.051s] killstate:v4 -> failed: atf-check failed; see the output of the test for details [5.888s] map_e:map_e -> failed: nc failed (0) [3.012s] modulate:modulate_v4 -> failed: atf-check failed; see the output of the test for details [5.336s] nat:exhaust -> failed: atf-check failed; see the output of the test for details [13.429s] pass_block:urpf -> failed: atf-check failed; see the output of the test for details [1.157s] pass_block:v4 -> failed: atf-check failed; see the output of the test for details [2.076s] proxy:ftp -> failed: atf-check failed; see the output of the test for details [15.177s] route_to:icmp_nat -> failed: atf-check failed; see the output of the test for details [11.440s] rtable:forward_v4 -> failed: atf-check failed; see the output of the test for details [6.317s] rules_counter:get_clear -> failed: atf-check failed; see the output of the test for details [4.109s] rules_counter:keepcounters -> failed: atf-check failed; see the output of the test for details [4.161s] scrub_compat:max_mss_v4 -> failed: atf-check failed; see the output of the test for details [5.232s] scrub_compat:min_ttl_v4 -> failed: atf-check failed; see the output of the test for details [5.169s] scrub_compat:no_scrub_v4 -> failed: atf-check failed; see the output of the test for details [5.103s] scrub_compat:set_tos_v4 -> failed: atf-check failed; see the output of the test for details [5.431s] scrub_pass:max_mss_v4 -> failed: atf-check failed; see the output of the test for details [5.114s] scrub_pass:min_ttl_v4 -> failed: atf-check failed; see the output of the test for details [5.109s] scrub_pass:set_tos_v4 -> failed: atf-check failed; see the output of the test for details [5.189s] scrub_pass:set_tos_v6 -> failed: atf-check failed; see the output of the test for details [5.148s] set_skip:pr255852 -> failed: atf-check failed; see the output of the test for details [1.151s] set_skip:set_skip_dynamic -> failed: atf-check failed; see the output of the test for details [12.637s] set_tos:v4 -> failed: atf-check failed; see the output of the test for details [13.420s] syncookie:adaptive -> failed: atf-check failed; see the output of the test for details [12.458s] syncookie:basic -> failed: atf-check failed; see the output of the test for details [11.325s] syncookie:forward -> failed: atf-check failed; see the output of the test for details [11.440s] syncookie:nostate -> failed: atf-check failed; see the output of the test for details [12.298s] syncookie:port_reuse -> failed: atf-check failed; see the output of the test for details [11.394s] synproxy:local -> failed: atf-check failed; see the output of the test for details [11.808s] synproxy:synproxy -> failed: atf-check failed; see the output of the test for details [12.135s] table:anchor -> failed: atf-check failed; see the output of the test for details [0.173s] table:v4_counters -> failed: atf-check failed; see the output of the test for details [3.364s] tos:v4 -> failed: atf-check failed; see the output of the test for details [1.002s]
Comment Actions
With fixed cleanups of freshly added tests this issue is gone. While fixing working this I also found that one more tests does not work correctly, the issue is addressed in a separate review D42363, as it's not related to this review.