Date: Sat, 9 Jun 2012 21:40:39 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: list_freebsd@bluerosetech.com Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 fragments firewall support? Message-ID: <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net> In-Reply-To: <4FD30582.90506@bluerosetech.com>
index | next in thread | previous in thread | raw e-mail
On 9. Jun 2012, at 08:12 , list_freebsd@bluerosetech.com wrote: > There's a sentence at the end of the "Fragment Handling" section of the pf.conf man page: > > "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally." > > This is in pf.conf(5) for FreeBSD versions using pf 4.1. It looks like we only have pf 4.5 in HEAD and I believe support for IPv6 fragments didn't arrive until OpenBSD 5.0 (after the pf.conf format change). > > Is IPv6 fragmentation support still an issue? I'm chasing down PMTU issues and came across this. If it's the case, it would explain a lot of the problems I'm having with UDP over IPv6. Yes, it's not there yet; someone needs to cherry pick the commits and bring it over. Glebius can you do that? You can however unconditionally allow all fragments and trust a (bad) end host system: pass log quick inet6 proto ipv6-frag all (it has log set for a reason to be able to track them here) /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F>