Date: Sat, 9 Jun 2012 21:40:39 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: list_freebsd@bluerosetech.com Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 fragments firewall support? Message-ID: <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net> In-Reply-To: <4FD30582.90506@bluerosetech.com> References: <4FD30582.90506@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9. Jun 2012, at 08:12 , list_freebsd@bluerosetech.com wrote: > There's a sentence at the end of the "Fragment Handling" section of = the pf.conf man page: >=20 > "Currently, only IPv4 fragments are supported and IPv6 fragments are = blocked unconditionally." >=20 > This is in pf.conf(5) for FreeBSD versions using pf 4.1. It looks = like we only have pf 4.5 in HEAD and I believe support for IPv6 = fragments didn't arrive until OpenBSD 5.0 (after the pf.conf format = change). >=20 > Is IPv6 fragmentation support still an issue? I'm chasing down PMTU = issues and came across this. If it's the case, it would explain a lot = of the problems I'm having with UDP over IPv6. Yes, it's not there yet; someone needs to cherry pick the commits and = bring it over. Glebius can you do that? You can however unconditionally allow all fragments and trust a (bad) = end host system: pass log quick inet6 proto ipv6-frag all (it has log set for a reason to be able to track them here) /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F>