Project

General

Profile

Actions

Bug #4723

closed

Can't forward UDP fragmented packets with scrubbing enabled.

Added by Dominic Blais almost 9 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Operating System
Target version:
Start date:
05/21/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.x
Affected Architecture:
All

Description

I have a use case where I couldn't forward UDP fragmented packets thru a site to site OpenVPN tunnel. The issue isn't linked to OpenVPN itself but solely to the fact that scrubbing is applied on outgoing traffic.

Here's what happen:

1) Fragments are entering LAN interface
2) Scrub applies and fragments are reassembled
3) The firewall can process the reassembled packet
4) The kernel fragments the packet again so it can escape thru any other interface... (vpn, opt, wan..etc..)
5) The scrub out reassemble the packet
6) The packet is too big to escape the interface so it is dropped.

I managed to fix this bug by replacing "scrub on" by "scrub in on" in /etc/inc/filter.inc. Anyway, is there a need (beside random-id) to do scrubbing for outgoing traffic? Maybe it could be possible to disable scrub out when it's not TCP? Any other idea?

I think this bug wasn't present on 2.0.0.

Thank you!


Files

VM-network.png (9.68 KB) VM-network.png Phillip Davis, 07/09/2015 06:43 AM
diagram.png (293 KB) diagram.png Constantine Kormashev, 09/29/2017 09:43 AM
Actions

Also available in: Atom PDF