Date: Wed, 23 Jul 2014 20:59:19 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Allan Jude <allanjude@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <C8E4B902-6D98-4A3D-8D32-E72666900054@lists.zabbadoz.net> In-Reply-To: <53D01DDD.8000806@freebsd.org> References: <201407231542.s6NFgX4M025370@slippy.cwsent.com> <50E4E363-B2C0-4ED7-A0C4-2D7C69FF15B2@lists.zabbadoz.net> <53D01DDD.8000806@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Jul 2014, at 20:41 , Allan Jude <allanjude@freebsd.org> wrote: > On 2014-07-23 16:38, Bjoern A. Zeeb wrote: >> On 23 Jul 2014, at 15:42 , Cy Schubert <Cy.Schubert@komquats.com> = wrote: >>=20 >>> Taking this discussion slightly sideways but touching on this thread = a=20 >>> little, each of our packet filters will need nat66 support too. Pf = doesn't=20 >>> support it for sure. I've been told that ipfw may and I suspect = ipfilter=20 >>> doesn't as it was on Darren's todo list from 2009. >>=20 >> our pf does support IPv6 prefix rewriting quite nicely and has for = years. >=20 > Bjoern: What IPv6 stuff does our pf not do well? I think the most pressing, as Peter said, is fragment handling, though a = good fraction of major content providers seems to do mss clamping to a = min IPv6 mtu on IPv6 and drop fragments at the edge (not much different = to IPv4, which makes you wonder?). Whoever is clever will think of = how many different queueing and fragment handling implementations we = need in the kernel, and how often we have to do it on an end node that = might also run a firewall, pick one we have, turn it into a library = thing, apply it to all places, and then add the latest IETF suggestions = on top of it. There was (is?) another case that in certain situations with certain pf = options IPv6/ULP packets would not pass or get corrupted. I think no = one who experienced it never tracked it down to the code but I am sure = there are PRs for this; best bet is that not all header sizes are equal = and length/offsets into IPv6 packets are different to IPv4, especially = when you scrub. Apart from that my knowledge of pf is diminishing. =97=20 Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C8E4B902-6D98-4A3D-8D32-E72666900054>