PF omitting fragment reassemble

rupapv

New Member


Messages: 2

Hi, I am still learning about pf in FreeBSD and so would appreciate some help. I want to create a rule to set tos to an icmp packet but omit fragment reassemble option. But it looks like it can't be done. As far as I understand, the only way to disable fragment reassemble is to use it with a no scrub option. so I tried like below, but it is not giving me the expected result.
Code:
ext_if="em0"
no scrub in on $ext_if proto {icmp} fragment reassemble
scrub in on $ext_if proto {icmp} all set-tos lowdelay
pass log (all) all

These rules are displayed as
Code:
# pfctl -s rules
no scrub in on em0 proto icmp all
scrub in on em0 proto icmp all set-tos 0x10 fragment reassemble
pass log (all) all flags S/SA keep state
#

This is not giving me the desired result of setting tos without fragment reassembly. Can we have two "scrub in" rules in the same pf.conf ? I guess not, because only the first one is taking effect.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,783
Messages: 34,910

Code:
     The no option prefixed to a scrub rule causes matching packets to remain
     unscrubbed, much in the same way as drop quick works in the packet filter
     (see below).  This mechanism should be used when it is necessary to
     exclude specific packets from broader scrub rules.

What this means is that if packets are hitting your no scrub rule it's not going to process any further scrub rules. So you have to work the other way around.

Similar to this:
Code:
block in quick from any to any
pass in from $home to ($my_int) port 22

That pass is never going to be processed because the block quick "short-circuits" the rules, it won't process any further rules.
 
OP
R

rupapv

New Member


Messages: 2

So that means I have to use "no scrub" after I use my scrub rules. I tried like this:
Code:
ext_if="em0"
scrub in proto {icmp} all set-tos lowdelay
no scrub in proto {icmp} all fragment reassemble
pass log (all) all

My intention is that set-tos should happen but fragment reassemble should not happen.

These rules are displayed as :
Code:
# pfctl -s rules
scrub in proto icmp all set-tos 0x10 fragment reassemble
no scrub in proto icmp all
pass log (all) all flags S/SA keep state
#

The default "fragment reassemble" enabled in the "scrub in" line is not getting cancelled by the "no scrub" line. Without the "scrub in" line I cannot do set-tos. When I capture the incoming icmp packets on em0, I can see that the fragments are reassembled.

Please provide some guidance on this.
 

Kristof Provost

Member
Developer

Reaction score: 52
Messages: 85

It looks like that's a bug. Fragment reassembly is always enabled. I've added it to my todo list (which carries no timeline promise!).

That said, disabling fragment reassembly is a terrible, terrible idea and you should almost certainly not do that.
 
Top