From owner-freebsd-ipfw@FreeBSD.ORG  Thu Feb  9 21:44:03 2012
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 29ABC106564A
	for <freebsd-ipfw@freebsd.org>; Thu,  9 Feb 2012 21:44:03 +0000 (UTC)
	(envelope-from public@macfreek.nl)
Received: from aphrodite.kinkhorst.nl (aphrodite.kinkhorst.nl
	[IPv6:2001:888:214f::f4])
	by mx1.freebsd.org (Postfix) with ESMTP id BC17E8FC0A
	for <freebsd-ipfw@freebsd.org>; Thu,  9 Feb 2012 21:44:02 +0000 (UTC)
Received: from lampje.macfreek.nl (unknown [145.99.1.68])
	by aphrodite.kinkhorst.nl (Postfix) with ESMTPSA id 5C7971760B7
	for <freebsd-ipfw@freebsd.org>; Thu,  9 Feb 2012 22:44:01 +0100 (CET)
Message-ID: <4F343E1E.3010702@macfreek.nl>
Date: Thu, 09 Feb 2012 22:43:58 +0100
From: Freek Dijkstra <public@macfreek.nl>
User-Agent: Postbox 2.1.4 (Macintosh/20110308)
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
References: <4F342D87.5060208@macfreek.nl>
In-Reply-To: <4F342D87.5060208@macfreek.nl>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: IPv6 fragments
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2012 21:44:03 -0000

I wrote:

> I'm having trouble configuring ipfw to handle fragmented IPv6 packets.

[...]

> My second idea was to simply allow all fragments, and let the TCP stack
> figure it out. I used the following ruleset:
>  ipfw add 1020 count log ipv6 from any to me recv tun0 frag
>  ipfw add 1030 deny  log ipv6 from any to me recv tun0
> 
> Unfortunately, this still fails. Below is output of tcpdump and the ipfw
> log. As you can see rule 1020 is never matched.
> 
> Why is rule 1020 never matched?

Oh bugger, it seems the problem was between keyboard and chair.
I tested this on a production machine, and moved some rule numbers.
Forgot that I had a skipto rule somewhere and did not update that rule
number...

Anyway, I'm still interested to hear how others handle fragmented IPv6
traffic (off-topic: any pointers to why it is fragmented are appreciated
too).

In particular, I'm still interested in these answers:

> Is there a bug report available for the reassambly bug, so I can track it?
> If not, where can I report it (presuming it is a bug of course)?

Regards,
Freek Dijkstra