From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 12:42:56 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1DB25C34 for ; Wed, 9 Jul 2014 12:42:56 +0000 (UTC) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) by mx1.freebsd.org (Postfix) with ESMTP id C6F282891 for ; Wed, 9 Jul 2014 12:42:55 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3h7gCf1VLSzVh for ; Wed, 9 Jul 2014 14:42:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:organization :from:from:date:date:message-id:received:received:received; s= jakla2; t=1404909770; x=1407501771; bh=ThhZZlQuR7ueQhhdcONdgsRP6 9W6QBrUBXhSOwkBEVY=; b=fWfLZBlMJbWTLOQgwTcWkMx9uFdHg1b8QZt7sjktr kT2AS7VI9dOaRF+ZVaM/cECQ0qVBf1bDTR+yC/U4NDLfEIlnBTWXOAVGyfNR7bqL wtXiNXR1fxidFS36eHasnVTfT0mjPdTMKZ6vNAepa7w2fv/zvyK18F6lHHa5QIbp I0= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id 5HSeTZvZf-Lj for ; Wed, 9 Jul 2014 14:42:50 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP for ; Wed, 9 Jul 2014 14:42:50 +0200 (CEST) Received: from [92.244.73.130] (vpn002.ijs.si [92.244.73.130]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 3h7gCZ2c19zLb for ; Wed, 9 Jul 2014 14:42:50 +0200 (CEST) Message-ID: <53BD38C4.4050100@ijs.si> Date: Wed, 09 Jul 2014 14:42:44 +0200 From: Mark Martinec Organization: Jozef Stefan Institute User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? References: <53BC717C.9080108@com.jkkn.dk> In-Reply-To: <53BC717C.9080108@com.jkkn.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 12:42:56 -0000 On 2014-07-09 0:32, Kristian K. Nielsen wrote: > f) IPv6 support?- it seem to be more and more challenged in the current > version of pf in FreeBSD and I am (as well as others) introducing more > and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, > which is the bug on not handling IPv6 fragments which have been open > since 2008 and where the workaround is necessity to leave an open hole > in your firewall ruleset to allow all fragments. Occoring to comment in > the bug, this have been long gone in OpenBSD. The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. Besides the long-standing bugs (like: scrub reassemble tcp breaks CRC on IPv6), the following stands out: - last time I looked, neither PF nor IPFW could be used on a FreeBSD kernel built WITHOUT_INET. This means that features like ssh-guard and per-application protection on a dedicated IPv6-only host are not available - no support for IPv6 prefix translation, and no stateful NAT64 support Then, unrelated to IPv6: - no support for DSCP (the TOS byte includes ECN bits, hard to filter out) - the new 'match' mechanism would be really nice to have Mark