NetBSD Problem Report #55654
From kardel@kardel.name Fri Sep 11 09:48:22 2020
Return-Path: <kardel@kardel.name>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 09A161A9239
for <gnats-bugs@gnats.NetBSD.org>; Fri, 11 Sep 2020 09:48:22 +0000 (UTC)
Message-Id: <20200911094818.0CE1C28C874@mail.kardel.name>
Date: Fri, 11 Sep 2020 09:48:18 +0000 (UTC)
From: kardel@netbsd.org
Reply-To: kardel@netbsd.org
To: gnats-bugs@NetBSD.org
Subject: NPF defaults break IP fragment reassembly
X-Send-Pr-Version: 3.95
>Number: 55654
>Category: kern
>Synopsis: NPF defaults break IP fragment reassembly
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: rmind
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Sep 11 09:50:00 +0000 2020
>Closed-Date: Sun Jun 18 19:24:24 +0000 2023
>Last-Modified: Sun Jun 18 19:24:24 +0000 2023
>Originator: Frank Kardel
>Release: NetBSD 9.99.72
>Organization:
>Environment:
System: NetBSD gateway 9.99.72 NetBSD 9.99.72 (GENERIC) #0: Thu Sep 10 06:02:30 UTC 2020 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
On newer -current kernels IP fragment reassembly fails. IP packets with sizes larger
then the path MTU never reach the application (e. g. x509 IKEv1 ident packets)
Statistics indication (netstat -s):
ip:
20673 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
>>> 142 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped (out of ipqent)
0 malformed fragments dropped
>>>! 136 fragments dropped after timeout
0 packets reassembled ok
18759 packets for this host
0 packets for unknown/unsupported protocol
806 packets forwarded (0 packets fast forwarded)
28 packets not forwardable
0 redirects sent
0 packets no matching gif found
0 packets no matching ipsecif found
20750 packets sent from this host
7 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
1 output datagram fragmented
1 fragment created
4 datagrams that can't be fragmented
0 datagrams with bad address in header
938 input packets dropped by pfil
482 output packets dropped by pfil
0 input packets dropped by IPsec
0 output packets dropped by IPsec
0 input packets dropped due to interface state
0 packets dropped due to TTL exceeded
0 output packets dropped (no IP address)
36 output packets discarded due to reject route
0 output packets dropped (broadcast prohibited)
>How-To-Repeat:
run a new -current kernel an try to receive fragmented IP packets
>Fix:
find the commit that broke it...
>Release-Note:
>Audit-Trail:
From: Frank Kardel <kardel@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/55654: IP fragment reassembly broken
Date: Fri, 11 Sep 2020 15:44:04 +0200
This is a multi-part message in MIME format.
--------------271CAD44F21FF5B907E12585
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Analysis shows that NPF disables IP reassembly by default. That is
documented in
npf-params. The IP stack without NPF does do IP reassembly, Once NPF is
enabled
IP reassembly is disabled unless "set ip4.reassembly on" is in
/etc/npf.conf.
The man page for npf.conf states:
Fragments are not selectable since NPF always reassembles packets
before
further processing.
So here the documentation does not agree.
This change of behavior is surprising to say the least. Furthermore
disabling
IP reassembly directly violates RFC1122 - Requirements for Internet
Hosts -- Communication Layers.
RFC1122 states:
3.2.1.4 Fragmentation and Reassembly:RFC-791 Section 3.2 <https://tools.ietf.org/html/rfc791#section-3.2>
The Internet model requires that every host support
reassembly. See Sections3.3.2 <https://tools.ietf.org/html/rfc1122#section-3.3.2> and3.3.3 <https://tools.ietf.org/html/rfc1122#section-3.3.3> for the
requirements on fragmentation and reassembly.
3.3.2 Reassembly
The IP layer MUST implement reassembly of IP datagrams.
[...]
Given that RFC1122 mandates IP reassembly and I did not overlook a relaxation of
this requirement the option if disabling it is not there.
So the current NPF behavior/documentation needs to be revisited for following reasons:
- Conformance with "Requirements for Internet Hosts"
- at minimum for the default configuration.
- inconsistent documentation
- Violation of POLA on upgrades
- upgrades simply break existing installations in unexpected
ways (see "Requirements for Internet Hosts")
Responsible-Changed-From-To: kern-bug-people->rmind
Responsible-Changed-By: kardel@NetBSD.org
Responsible-Changed-When: Fri, 11 Sep 2020 13:51:48 +0000
Responsible-Changed-Why:
over to committer
State-Changed-From-To: open->analyzed
State-Changed-By: kardel@NetBSD.org
State-Changed-When: Fri, 11 Sep 2020 13:54:17 +0000
State-Changed-Why:
comment contains analysis
From: "Frank Kardel" <kardel@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55654 CVS commit: src
Date: Sun, 12 Feb 2023 13:21:28 +0000
Module Name: src
Committed By: kardel
Date: Sun Feb 12 13:21:28 UTC 2023
Modified Files:
src/sys/net/npf: npf_params.c
src/usr.sbin/npf: npf-params.7
Log Message:
PR kern/55654:
Switch default for parameter npf ip4.reassembly to 1.
This makes the NPF default configuration comply with host
requirements for IPv4.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_params.c
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npf-params.7
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Frank Kardel <kardel@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/55654 CVS commit: src
Date: Sun, 12 Feb 2023 14:31:38 +0100
included in up-stream: https://github.com/rmind/npf/pull/116
wording for npf-params.7 is adjusted for clarity.
State-Changed-From-To: analyzed->pending-pullups
State-Changed-By: kardel@NetBSD.org
State-Changed-When: Tue, 14 Mar 2023 07:39:36 +0000
State-Changed-Why:
pullups for -9 and -10 have been requested
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55654 CVS commit: [netbsd-10] src
Date: Tue, 14 Mar 2023 17:02:58 +0000
Module Name: src
Committed By: martin
Date: Tue Mar 14 17:02:58 UTC 2023
Modified Files:
src/sys/net/npf [netbsd-10]: npf_params.c
src/usr.sbin/npf [netbsd-10]: npf-params.7
Log Message:
Pull up following revision(s) (requested by kardel in ticket #118):
usr.sbin/npf/npf-params.7: revision 1.9
sys/net/npf/npf_params.c: revision 1.6
PR kern/55654:
Switch default for parameter npf ip4.reassembly to 1.
This makes the NPF default configuration comply with host
requirements for IPv4.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.5.4.1 src/sys/net/npf/npf_params.c
cvs rdiff -u -r1.8 -r1.8.6.1 src/usr.sbin/npf/npf-params.7
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55654 CVS commit: [netbsd-9] src
Date: Tue, 14 Mar 2023 17:04:51 +0000
Module Name: src
Committed By: martin
Date: Tue Mar 14 17:04:51 UTC 2023
Modified Files:
src/sys/net/npf [netbsd-9]: npf_params.c
src/usr.sbin/npf [netbsd-9]: npf-params.7
Log Message:
Pull up following revision(s) (requested by kardel in ticket #1612):
usr.sbin/npf/npf-params.7: revision 1.9
sys/net/npf/npf_params.c: revision 1.6
PR kern/55654:
Switch default for parameter npf ip4.reassembly to 1.
This makes the NPF default configuration comply with host
requirements for IPv4.
To generate a diff of this commit:
cvs rdiff -u -r1.1.2.2 -r1.1.2.3 src/sys/net/npf/npf_params.c
cvs rdiff -u -r1.2.2.2 -r1.2.2.3 src/usr.sbin/npf/npf-params.7
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: gutteridge@NetBSD.org
State-Changed-When: Sun, 18 Jun 2023 19:24:24 +0000
State-Changed-Why:
Pullups were completed, closing.
>Unformatted:
pullup-10
pullup-9
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.