From Mark_Andrews@isc.org  Thu Jun 30 01:12:41 2005
Return-Path: <Mark_Andrews@isc.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ECA5516A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 30 Jun 2005 01:12:41 +0000 (GMT)
	(envelope-from Mark_Andrews@isc.org)
Received: from farside.isc.org (farside.isc.org [204.152.187.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D3CC843D48
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 30 Jun 2005 01:12:41 +0000 (GMT)
	(envelope-from Mark_Andrews@isc.org)
Received: from bsdi.dv.isc.org (localhost [IPv6:::1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by farside.isc.org (Postfix) with ESMTP id 42138677F6
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 30 Jun 2005 01:12:41 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from bsdi.dv.isc.org (localhost.dv.isc.org [127.0.0.1])
	by bsdi.dv.isc.org (8.13.1/8.13.1) with ESMTP id j5U17Eua023709
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 30 Jun 2005 11:07:15 +1000 (EST)
	(envelope-from marka@bsdi.dv.isc.org)
Received: (from marka@localhost)
	by bsdi.dv.isc.org (8.13.1/8.13.1/Submit) id j5U17Eak023708;
	Thu, 30 Jun 2005 11:07:14 +1000 (EST)
	(envelope-from marka)
Message-Id: <200506300107.j5U17Eak023708@bsdi.dv.isc.org>
Date: Thu, 30 Jun 2005 11:07:14 +1000 (EST)
From: Mark Andrews <Mark_Andrews@isc.org>
Reply-To: Mark Andrews <Mark_Andrews@isc.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipnat doesn't handle out of order fragments.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         82806
>Category:       kern
>Synopsis:       [ipfilter] ipnat doesn't handle out of order fragments.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    cy
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 30 01:20:05 GMT 2005
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:17:51 UTC 2013
>Originator:     Mark Andrews
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
ISC
>Environment:
System: FreeBSD bsdi.dv.isc.org 4.11-STABLE FreeBSD 4.11-STABLE #22: Mon Jan 3 22:18:47 EST 2005 marka@bsdi.dv.isc.org:/usr/obj/usr/src/sys/BSDI i386


>Description:
	
It looks like ipnat doesn't handle out of order fragments.

>How-To-Repeat:

Setup ipnat and try to make the following query from a machine behind the
nat box.  The response is large enough to cause fragmentation (DNS payload
of 1734) and depending upon the fragment order you may or may not get a
response.

Using a 9.3.x version of dig.

dig dlv gmail.com.dlv.verisignlabs.com @ns1.dlv.verisignlabs.com +dnssec

Note: ipf is setup to handle out of order fragments.  The above query always
works on the nat box itself regardless of the fragment order (checked
with "tcpdump -n -i sis0 -s 0 host 65.201.175.17" where sis0 is the
external interface).

Out of order fragments are not passed to the internal box (again
checked w/ tcpdump on the the internal box).  In order fragments are
returned.

>Fix:
>Release-Note:
>Audit-Trail:

From: Mark Andrews <Mark_Andrews@isc.org>
To: bug-followup@FreeBSD.org, Mark_Andrews@isc.org
Cc:  
Subject: Re: kern/82806: ipnat doesn't handle out of order fragments.
Date: Fri, 01 Jul 2005 15:38:38 +1000

 I suspect the best fix to this is to attempt reassembly after
 ipfr_nat_knownfrag() succeeds (there is a additional fragment now)
 or before calling ipfr_nat_newfrag() and only calling ipfr_nat_newfrag() 
 if the reassembly fails in which case you would also add the fragment to
 the fragment cache.  If reassembly fails stop further processing on this 
 packet and wait for the next fragment.
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Fri Jul 1 05:46:19 GMT 2005 
Responsible-Changed-Why:  
Over to IPFilter maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82806 
State-Changed-From-To: open->suspended 
State-Changed-By: darrenr 
State-Changed-When: Mon Feb 27 09:30:15 UTC 2006 
State-Changed-Why:  
ipnat needs to see frag#0 first but otherwise there shouldn't be any 
problems here.  at this point there are no plans to add fragment 
reassembly to ipfilter, which is what this really requires as a fix, 
so I'm suspending it (this problem is not unknown.) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82806 
State-Changed-From-To: suspended->suspended 
State-Changed-By: linimon 
State-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
State-Changed-Why:  
commit bit has been taken in for safekeeping. 


Responsible-Changed-From-To: darrenr->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=82806 
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:17:30 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82806 
>Unformatted:
