OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of reinosathe »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - reinosathe

Pages: [1]
1
23.1 Legacy Series / Re: Firewall live view of TCP flows not working anymore - "Unknown Option %u" in log
« on: March 03, 2023, 12:35:13 pm »
Ok, I've applied the patch  and all is good now. I see the log entries that I expect. Both in the plain view but more importantly now also in the Live view. In plain view the option is report as Unknow(30) which is correct for my case
 according to the RFC spec (   30      N        Multipath TCP (MPTCP)  )

Problem solved. Thanks again Franco !

2
23.1 Legacy Series / Re: Firewall live view of TCP flows not working anymore - "Unknown Option %u" in log
« on: March 03, 2023, 12:24:37 pm »
Thank you Franco. That was snappy and smooth ;-)

3
23.1 Legacy Series / Re: Firewall live view of TCP flows not working anymore - "Unknown Option %u" in log
« on: March 03, 2023, 12:19:47 pm »
Ok, so your reply triggered me to have a dual look at the flows that caused the issue. I logged into the opnsense firewall appliance and ran tcpdump manually. This is a capture of a flow that may show the offending option:

options [mss 1400,sackOK,TS val 1315226242 ecr 0,nop,wscale 7,mptcp capable {0xd67e012adf941119}]

I am running an ADSL/4G multi path TCP connection (living rural so 4G is the main connection but every connection starts on ADSL. I am pretty sure the mptcp option is the offending one. I will validate by disabling the 4G link but I am not sure if that forces my provider to not add the mptcp option anymore. Worth a try though.

But to your point, the code should not barf on unknown options and be future / new options safe.

4
23.1 Legacy Series / Firewall live view of TCP flows not working anymore - "Unknown Option %u" in log
« on: March 03, 2023, 09:52:34 am »
For a while now, I can't see any TCP flow logging in the firewall live view log. Only UDP flows show up. The Firewall plain view does show all flows but the TCP flows have an Unknown option %u ending.

Here is an example:
109,,,eed75d558cce27a033cbd0ba409b0cd2,em1,match,pass,in,4,0x0,,222,1451,0,DF,6,tcp,72,3.130.141.237,192.168.1.200,8462,8443,0,S,358758990,,28000,,mss;sackOK;TS;nop;wscale;Unknown Option %u

I've checked this forum and the internet at large and noticed this ticket: https://redmine.pfsense.org/issues/12056  and a reference to this code snippet: https://github.com/pfsense/FreeBSD-ports/blob/95209049501e8372d0f31dcf2dfb45269a179151/sysutils/filterlog/files/print-tcp.c#L211

Could it be that the opnsense code base has the same issue ?

Version details:
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

It would be great if this issue can be fixed.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2