From owner-freebsd-pf@FreeBSD.ORG  Tue Jun  7 21:29:59 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A61A6106566C;
	Tue,  7 Jun 2011 21:29:59 +0000 (UTC)
	(envelope-from mike@jellydonut.org)
Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com
	[209.85.215.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 1AE9E8FC08;
	Tue,  7 Jun 2011 21:29:58 +0000 (UTC)
Received: by ewy1 with SMTP id 1so2770119ewy.13
	for <multiple recipients>; Tue, 07 Jun 2011 14:29:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.213.28.139 with SMTP id m11mr2786787ebc.108.1307480603750;
	Tue, 07 Jun 2011 14:03:23 -0700 (PDT)
Received: by 10.213.114.82 with HTTP; Tue, 7 Jun 2011 14:03:23 -0700 (PDT)
In-Reply-To: <20110607195057.GA37735@in-addr.com>
References: <20110607195057.GA37735@in-addr.com>
Date: Tue, 7 Jun 2011 17:03:23 -0400
Message-ID: <BANLkTik=YyzTV7CAx9MOqapZF7o7Bzaibg@mail.gmail.com>
From: Michael Proto <mike@jellydonut.org>
To: Gary Palmer <gpalmer@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-pf@freebsd.org
Subject: Re: IPv6 day, PF and IPv6 fragments
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 21:29:59 -0000

On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer <gpalmer@freebsd.org> wrote:
> Hi,
>
> I noticed after running test-ipv6.com at home that I was getting
>
> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998=
:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211=
 <nop,nop,timestamp 3656890291 1004528553>
> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998=
:0:6::11 > <my IP>: frag (1424|16)
>
> on my FreeBSD 7.3-RELEASE firewall. =A0"man pf.conf" says
>
> =A0 =A0 Currently, only IPv4 fragments are supported and IPv6 fragments a=
re
> =A0 =A0 blocked unconditionally.
>
> Is this correct? =A0If so, what is the correct way of getting IPv6 fragme=
nted
> packets through a pf firewall, or which version of FreeBSD introduces a P=
F
> version that natively handles IPv6 fragments?
>
> Thanks,
>
> Gary

Unless I'm mistaken, there shouldn't be any fragments for IPv6, at
least nothing traversing IPv6-capable routers. MTU path-discovery is
supposed to take care of that and any fragmentation is supposed to be
done on the sending host once path-discovery determines the correct
MTU.

http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation


-Proto