IPv6 fragments firewall support?
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Sat Jun 9 21:40:45 UTC 2012
On 9. Jun 2012, at 08:12 , list_freebsd at bluerosetech.com wrote:
> There's a sentence at the end of the "Fragment Handling" section of the pf.conf man page:
>
> "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally."
>
> This is in pf.conf(5) for FreeBSD versions using pf 4.1. It looks like we only have pf 4.5 in HEAD and I believe support for IPv6 fragments didn't arrive until OpenBSD 5.0 (after the pf.conf format change).
>
> Is IPv6 fragmentation support still an issue? I'm chasing down PMTU issues and came across this. If it's the case, it would explain a lot of the problems I'm having with UDP over IPv6.
Yes, it's not there yet; someone needs to cherry pick the commits and bring it over. Glebius can you do that?
You can however unconditionally allow all fragments and trust a (bad) end host system:
pass log quick inet6 proto ipv6-frag all
(it has log set for a reason to be able to track them here)
/bz
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!
More information about the freebsd-pf
mailing list