From owner-freebsd-pf@FreeBSD.ORG Sat Jun 9 21:40:45 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BDE0E1065673 for ; Sat, 9 Jun 2012 21:40:45 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 3F4DB8FC17 for ; Sat, 9 Jun 2012 21:40:45 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 12F7B25D387B; Sat, 9 Jun 2012 21:40:43 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id BFA24BE84ED; Sat, 9 Jun 2012 21:40:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id l4MpBE9w0q7y; Sat, 9 Jun 2012 21:40:41 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 2B411BE84EB; Sat, 9 Jun 2012 21:40:40 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <4FD30582.90506@bluerosetech.com> Date: Sat, 9 Jun 2012 21:40:39 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net> References: <4FD30582.90506@bluerosetech.com> To: list_freebsd@bluerosetech.com X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 fragments firewall support? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2012 21:40:45 -0000 On 9. Jun 2012, at 08:12 , list_freebsd@bluerosetech.com wrote: > There's a sentence at the end of the "Fragment Handling" section of = the pf.conf man page: >=20 > "Currently, only IPv4 fragments are supported and IPv6 fragments are = blocked unconditionally." >=20 > This is in pf.conf(5) for FreeBSD versions using pf 4.1. It looks = like we only have pf 4.5 in HEAD and I believe support for IPv6 = fragments didn't arrive until OpenBSD 5.0 (after the pf.conf format = change). >=20 > Is IPv6 fragmentation support still an issue? I'm chasing down PMTU = issues and came across this. If it's the case, it would explain a lot = of the problems I'm having with UDP over IPv6. Yes, it's not there yet; someone needs to cherry pick the commits and = bring it over. Glebius can you do that? You can however unconditionally allow all fragments and trust a (bad) = end host system: pass log quick inet6 proto ipv6-frag all (it has log set for a reason to be able to track them here) /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!