Date: Tue, 7 Jun 2011 17:03:23 -0400 From: Michael Proto <mike@jellydonut.org> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 day, PF and IPv6 fragments Message-ID: <BANLkTik=YyzTV7CAx9MOqapZF7o7Bzaibg@mail.gmail.com> In-Reply-To: <20110607195057.GA37735@in-addr.com> References: <20110607195057.GA37735@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer <gpalmer@freebsd.org> wrote: > Hi, > > I noticed after running test-ipv6.com at home that I was getting > > 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998= :0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211= <nop,nop,timestamp 3656890291 1004528553> > 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998= :0:6::11 > <my IP>: frag (1424|16) > > on my FreeBSD 7.3-RELEASE firewall. =A0"man pf.conf" says > > =A0 =A0 Currently, only IPv4 fragments are supported and IPv6 fragments a= re > =A0 =A0 blocked unconditionally. > > Is this correct? =A0If so, what is the correct way of getting IPv6 fragme= nted > packets through a pf firewall, or which version of FreeBSD introduces a P= F > version that natively handles IPv6 fragments? > > Thanks, > > Gary Unless I'm mistaken, there shouldn't be any fragments for IPv6, at least nothing traversing IPv6-capable routers. MTU path-discovery is supposed to take care of that and any fragmentation is supposed to be done on the sending host once path-discovery determines the correct MTU. http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation -Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTik=YyzTV7CAx9MOqapZF7o7Bzaibg>