Date: Wed, 13 Dec 2006 07:59:21 +0200 From: John Hay <jhay@meraka.org.za> To: freebsd-ipfw@freebsd.org Subject: ipfw handling of ipv6 fragments Message-ID: <20061213055921.GA41325@zibbi.meraka.csir.co.za>
next in thread | raw e-mail | index | archive | help
Hi,
We are trying out nat-pt here and it triggers lots of "IPFW2: IPV6 -
Invalid Fragment Header" messages. Our ipfw code seems to think that
one cannot have a fragment header on a packet that does not need to
be fragmented. Is there a reason for it? RFC2765 section 3 does say
one MUST use such a fragment header on all packets that go through
nat-pt and does not have the DF bit set.
So I have been running with that check removed. Does anyone have an
objection to me committing this?
Index: netinet/ip_fw2.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.106.2.23
diff -u -r1.106.2.23 ip_fw2.c
--- netinet/ip_fw2.c 20 Nov 2006 15:19:10 -0000 1.106.2.23
+++ netinet/ip_fw2.c 13 Dec 2006 05:40:36 -0000
@@ -2295,13 +2295,7 @@
* fragment to be != 0. */
offset |= ((struct ip6_frag *)ulp)->ip6f_offlg &
IP6F_MORE_FRAG;
- if (offset == 0) {
- printf("IPFW2: IPV6 - Invalid Fragment "
- "Header\n");
- if (fw_deny_unknown_exthdrs)
- return (IP_FW_DENY);
- break;
- }
+ /* According to RFC2765 3.1 offset can be 0 */
args->f_id.frag_id6 =
ntohl(((struct ip6_frag *)ulp)->ip6f_ident);
ulp = NULL;
John
--
John Hay -- John.Hay@meraka.csir.co.za / jhay@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061213055921.GA41325>