PF omitting fragment reassemble

Hi, I am still learning about pf in FreeBSD and so would appreciate some help. I want to create a rule to set tos to an icmp packet but omit fragment reassemble option. But it looks like it can't be done. As far as I understand, the only way to disable fragment reassemble is to use it with a no scrub option. so I tried like below, but it is not giving me the expected result.
Code:
ext_if="em0"
no scrub in on $ext_if proto {icmp} fragment reassemble
scrub in on $ext_if proto {icmp} all set-tos lowdelay
pass log (all) all
These rules are displayed as
Code:
# pfctl -s rules
no scrub in on em0 proto icmp all
scrub in on em0 proto icmp all set-tos 0x10 fragment reassemble
pass log (all) all flags S/SA keep state
#
This is not giving me the desired result of setting tos without fragment reassembly. Can we have two "scrub in" rules in the same pf.conf ? I guess not, because only the first one is taking effect.
 
Code:
     The no option prefixed to a scrub rule causes matching packets to remain
     unscrubbed, much in the same way as drop quick works in the packet filter
     (see below).  This mechanism should be used when it is necessary to
     exclude specific packets from broader scrub rules.
What this means is that if packets are hitting your no scrub rule it's not going to process any further scrub rules. So you have to work the other way around.

Similar to this:
Code:
block in quick from any to any
pass in from $home to ($my_int) port 22
That pass is never going to be processed because the block quick "short-circuits" the rules, it won't process any further rules.
 
So that means I have to use "no scrub" after I use my scrub rules. I tried like this:
Code:
ext_if="em0"
scrub in proto {icmp} all set-tos lowdelay
no scrub in proto {icmp} all fragment reassemble
pass log (all) all
My intention is that set-tos should happen but fragment reassemble should not happen.

These rules are displayed as :
Code:
# pfctl -s rules
scrub in proto icmp all set-tos 0x10 fragment reassemble
no scrub in proto icmp all
pass log (all) all flags S/SA keep state
#
The default "fragment reassemble" enabled in the "scrub in" line is not getting cancelled by the "no scrub" line. Without the "scrub in" line I cannot do set-tos. When I capture the incoming icmp packets on em0, I can see that the fragments are reassembled.

Please provide some guidance on this.
 
It looks like that's a bug. Fragment reassembly is always enabled. I've added it to my todo list (which carries no timeline promise!).

That said, disabling fragment reassembly is a terrible, terrible idea and you should almost certainly not do that.
 
Interesting thread, I have some feedback.

Having upgraded my home broadband to gigabit connectivity, I then discovered scrub was causing slow throughput from some servers, it was preventing the congestion window from staying large enough to maintain throughput when cubic congestion provider was used on the sending server (now a very common configuration).

I then eventually diagnosed if I remove 'fragment reassemble' flag from scrub everything was fine, I did it again and again on and off with repeated results. However I then found this thread where its revealed that the flag doesnt matter as its on by default and sure enough when I ran pfctl to show the loaded rules the flag is listed, which leaves a conundrum as to why specifying it breaks performance if its on all the time anyway.

Is it possible that when its not specified the bug is that pf just reports its on but it isnt?

I plan to do further testing.
 
It looks like that's a bug. Fragment reassembly is always enabled. I've added it to my todo list (which carries no timeline promise!).

That said, disabling fragment reassembly is a terrible, terrible idea and you should almost certainly not do that.
Has the behaviour been changed now in CURRENT? I noticed this pfSense issue, stating its been changed in FreeBSD with your name as the assignee.


Looks you did it, thank you.

Link below for others to see.

 
Back
Top