Hi,
I run an OpenBSD (current) nfs server with a linux nfs client
(2.4.19-rc3-ac3) and if I turn on the scrub feature (reassemble all
fragments) of the OpenBSD firewall I get into trouble with the
nfs-client not being able anymore to connect. Perhaps this is something
that can be improved in the nfs code. This is not urgent since I can
tell the firewall to only pay attention to fragments from the external
interface.
If I can be of any assistance please let me know, but I am not
subscribed to the list.
Here is the refering part of the man-page.
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html#NORMALIZATION
Mike Frantzen ([email protected]) wrote:
>
> > Unless - dare I say it - you have to deal with Linux NFS in
> > conjunction with that pf firewall, in which case NFS won't work when
> > scrub is used. That just bit me the other day (Linux 2.2.x client
> > <-> pf <-> Linux 2.4.x server[0]). It's mentioned in the archives of
> > this list and the conclusion at the time was that it's a Linux
> > problem[1]. Interesting enough I had the same problem with a Linux
> > 2.4.x client and an OpenBSD 3.1 server. Both issues vanished after I
> > removed scrub from the rules. Just something to be aware of, I
> > think.
>
> IIRC Linux's NFS server set DF and MF at the same time (Don't Fragment
> and More Fragments) which leads to an ambiguity in the interpretation.
> At the moment, I can't think of anything really bad that could come of
> the ambiguity. But SCRUB's job is to resolve ambiguities or drop them
> if it couldn't be resolved somehow.
Groetjes, Han.
--
::. +------------------------------------------------------+
(\./) .-""-. | normous cats on the dinette table, etc. -- Dave |
`\'-'` \ | Barry, "The Taming of the Screw" |
'.___,_^__/ +------------------------------------------------------+
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
>>>>> " " == han <[email protected]> writes:
> Hi, I run an OpenBSD (current) nfs server with a linux nfs
> client (2.4.19-rc3-ac3) and if I turn on the scrub feature
> (reassemble all fragments) of the OpenBSD firewall I get into
> trouble with the nfs-client not being able anymore to
> connect. Perhaps this is something that can be improved in the
> nfs code. This is not urgent since I can tell the firewall to
> only pay attention to fragments from the external interface.
The Linux NFS client just uses a standard UDP socket (Nothing up my
sleeve). No special flags are set beyond those which you will get
from using the standard call 'socket(PF_INET, SOCK_DGRAM, 0)'.
Mind explaining exactly what is causing the OpenBSD 'scrub' filter to
fail to pass these packets?
Cheers,
Trond
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
>> Mind explaining exactly what is causing the OpenBSD 'scrub'
>> filter to fail to pass these packets?
Hmm... From your forwarded mail. Looks like they were saying that the
firewall doesn't like IP_DF + IP_MF. That basically means that it is
incompatible with standard Path MTU discovery (see RFC 1191).
Try turning off path MTU discovery using
echo "1" >/proc/sys/net/ipv4/ip_no_pmtu_disc
and it should probably work (or set the wsize to 1024 - means no
fragmentation of the writes).
Cheers,
Trond
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On 2002-07-29 02:28:32 PST, Trond Myklebust wrote:
> Hmm... From your forwarded mail. Looks like they were saying that the
> firewall doesn't like IP_DF + IP_MF. That basically means that it is
> incompatible with standard Path MTU discovery (see RFC 1191).
Where does RFC 1191 (or Stevens, which I also checked) say you're
supposed to do PMTU discovery using _fragments_? You send complete,
unfragmented packets with DF set and see if you get an
ICMP_UNREACH_NEEDFRAG back. You mean a router gets already fragmented
packets (MF set) and then does PMTU to the destination itself, so the
fragments themselves don't get fragmented further? Or some host on the
way actually fragmented a DF packet? PMTU discovery explains the DF, but
who set the MF, assuming PMTU discovery is happening?
Daniel
-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs