Explanation of "dropped by fwchain_frag Reason: wait for more fragments"
|Platform / Model
- Kernel debug (
fw ctl debug -m fw + drop) shows that traffic is dropped:
fw_log_drop: Packet proto= ... dropped by fwchain_frag Reason: wait for more fragments
The fragments are handled as follows:
- Frame is received by the Firewall.
- The Firewall recognizes that the "More Fragments" flag is set.
- The Firewall records the fragment into the "
frag_table" kernel table (this table has a limit of "100" entries and a timeout of "1" second, by default).
Once the fragment is recorded in the "
frag_table" kernel table, this frame is dropped with a debug print.
First frame of fragmented connection will generate a print that contains the Proto / IP address / Ports:
fw_log_drop: Packet proto=17 220.127.116.11:161 -> 18.104.22.168:32825 dropped by fwchain_frag Reason: wait for more fragments;
Subsequent fragment frames will generate a generic drop that does not contain Proto / IP address / Ports:
fw_log_drop: Packet proto=-1 ?:0 -> ?:0 dropped by fwchain_frag Reason: wait for more fragments;
- Once the Firewall receives the final fragment, the packet is recreated in the kernel and processed.
The entry is deleted from the "
frag_table" kernel table.
- The Firewall processes the packet, and egresses the packet onto an interface.
Note: When the Firewall egresses the packet, it might fragment the packet once more based on the outbound interface's MTU.
Note: To view this solution you need to