Date: Mon, 28 Jul 2014 19:41:26 +1000 From: Darren Reed <darrenr@freebsd.org> To: Cy Schubert <Cy.Schubert@komquats.com> Cc: freebsd-current@freebsd.org Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <53D61AC6.5030305@freebsd.org> In-Reply-To: <201407261843.s6QIhcx4008597@slippy.cwsent.com> References: <201407261843.s6QIhcx4008597@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27/07/2014 4:43 AM, Cy Schubert wrote: > In message <53D395E4.1070006@fastmail.net>, Darren Reed writes: >> On 24/07/2014 1:42 AM, Cy Schubert wrote: >>>>> But, lack of ipv6 fragment processing still causes ongoing pain. That'= >>>>> s our=20 >>>>> #1 wish list item for the cluster. >>> Taking this discussion slightly sideways but touching on this thread a >>> little, each of our packet filters will need nat66 support too. Pf doesn't >>> support it for sure. I've been told that ipfw may and I suspect ipfilter >>> doesn't as it was on Darren's todo list from 2009. >> ipfiler 5 handles fragments for ipv6. > Switching gears and leaving the discussion of ipv6 fragments to mention > nat66. A lot of people have been talking about nat66. I could be wrong but > I don't think it can handle nat66. I need to do some testing to verify > this. I remember reading on sourceforge that it was on your todo list. It > doesn't look like it was checked off as being completed. IPFilter 5 does IPv6 NAT. With the import of 5.1.2, map, rdr and rewrite rules will all work with IPv6 addresses. NAT66 is a specific implementation of IPv6 NAT behaviour. Cheers, Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53D61AC6.5030305>