IPFW How to catch "don't fragment" flag in ipfw

A

ant2

Greetings!

I want to catch ip packets flowed through ipfw with "don't fragment" flag.
I read manual of ipfw a few times but didn't find solution.

Does somebody knows what rule option to use to match packets with DF?

P.S. I'm trying to imitate network setup for Path MTU discovery because of dummy vpn router.
 
I can’t find it either. While ipfw(8) states, that it may filter on „Misc. IP header fields“, the information how to do that seems to be missing.

Your options are:
(1) ask on the mailing list - freebsd-ipfw@freebsd.org.

(2) DIY by the way of a divert daemon. Perhaps you could make use of the one on my GitHub repository which does package filtering based on an IP location database. You would need to replace the 7 lines 335 to 341 with your inspection and filter routine.
github.com

ipdb/geod.c at master · cyclaero/ipdb

Tools for IP based Geo-blocking and Geo-routing - cyclaero/ipdb
github.com github.com
 
Currently, IPFW does not support checking any IP flags. I guess nobody has found a need for that so far.

I think it should be rather easy to implement (if you know C) – just create a new token and keyword appropriately. You can copy the code that handles the ToS field, for example, and change the offset from 1 (ToS / DSCP) to 6 (Flags). The DF flag is bit #1 (0x40, MSB notation) of byte offset 6 in the IP header. If you submit a patch to FreeBSD’s Bugzilla, I’m sure it will be gladly committed (be sure to include an update to the manual page).

Note that only IPv4 has a DF flag. IPv6 does not support this; IPv6 routers are never allowed to fragment packets.
 
Oh... No luck. Every IP field has a corresponding option and only DF has not

Thanks for the answers.

P.S. Unfortunately I have no power to implement it myself.
 
ant2 said:
I want to catch ip packets flowed through ipfw with "don't fragment" flag.
Click to expand...
What exactly do you mean by "catch"? tcpdump(1) will show those flags without issue. You can easily create a filter to specifically capture or log them.
 
ant2 said:
Oh... No luck. Every IP field has a corresponding option and only DF has not
Click to expand...
IP options and IP flags are two different things.
The “don’t fragment” (DF) bit is an IP flag, not an IP option.
IPFW has match keywords for a few IP options (but not for all), but it does not support IP flags at all, including DF.

It would be nice if IPFW had a generic way to match arbitrary bits in headers, specified by offset (tcpdump supports this). But, alas, nobody has implemented that either, so far.
 
ant2 said:
ipfw add unreach needfrag ip from 192.168.12.0/24 to 192.168.0.0/24 iplen 1440-1500 and has_df_flag
Click to expand...
Why would you want to emulate PMTUD like that? You don’t need an IPFW rule for that, it should work automatically, provided that the MTU is configured correctly, and the ICMP packets are not suppressed by a misconfigured firewall.
 
olli@ said:
Why would you want to emulate PMTUD like that? You don’t need an IPFW rule for that, it should work automatically, provided that the MTU is configured correctly, and the ICMP packets are not suppressed by a misconfigured firewall.
Click to expand...
There is a two vpn-routers box that never ever send 'fragmentation needed' message. They silenlty fragment packets.
 
ant2 said:
There is a two vpn-routers box that never ever send 'fragmentation needed' message. They silenlty fragment packets.
Click to expand...
You mean, they drop packets silently? (Otherwise I don’t understand what you mean; silently fragmenting packets should not be a problem.)

I guess something is not configured correctly then. Probably the interface MTU is wrong.
 
olli@ said:
You mean, they drop packets silently? (Otherwise I don’t understand what you mean; silently fragmenting packets should not be a problem.)

I guess something is not configured correctly then. Probably the interface MTU is wrong.
Click to expand...
Alternative is to drop packets with DF flag silently or fragment packets even with DF flag.
 
ant2 said:
Alternative is to drop packets with DF flag silently or fragment packets even with DF flag.
Click to expand...
That would be an RFC violation. Routers are not allowed to fragment IPv4 packets that have the DF flag set. If you have a piece of hardware or software that does that, you should complain to the vendor and/or file a bug report.

Routers that cannot forward a packet because of its size, and the DF flag is set, MUST drop that packet. Additionally they may (but are not required to) return an ICMP type 3 (“destination unreachable”) with code 4 (“fragmentation required but DF set”). See RFC 792. Quote: “[…] when a datagram must be fragmented to be forwarded by a gateway yet the Don't Fragment flag is on. In this case the gateway MUST discard the datagram and MAY return a destination unreachable message.”
 
You must log in or register to reply here.
Back
Top