From owner-freebsd-pf@FreeBSD.ORG  Thu Jul 10 10:45:40 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6BF2BE7B;
 Thu, 10 Jul 2014 10:45:40 +0000 (UTC)
Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25])
 by mx1.freebsd.org (Postfix) with ESMTP id 1F2022C18;
 Thu, 10 Jul 2014 10:45:39 +0000 (UTC)
Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1])
 by mail.ijs.si (Postfix) with ESMTP id 3h8DYs1nM4z1SJ;
 Thu, 10 Jul 2014 12:45:37 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h=
 content-transfer-encoding:content-type:content-type:in-reply-to
 :references:subject:subject:mime-version:user-agent:organization
 :from:from:date:date:message-id:received:received:received; s=
 jakla2; t=1404989129; x=1407581130; bh=8e0bqqPYXQxrgLUUvJA3TFTpr
 L5qVjZpagaMjj0Olj4=; b=C10HSgyR89GX0z7yunPW7LCnPKf1+3qmvDvG1/PcM
 NWQi/uQ9mxmPuMTWea9b5gUyvYAQ0/9eQDZVT4mj+dWjbsvfOHxGyz6LdDQoqIuo
 I5JtAoUAk2+7tBf8dbSlxr+0RYMJ3a12gBrAmiyJ/mgEjGCZnh7SgrvnJeahr36M
 0Q=
X-Virus-Scanned: amavisd-new at ijs.si
Received: from mail.ijs.si ([IPv6:::1])
 by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012)
 with ESMTP id a9TzsNavo4tg; Thu, 10 Jul 2014 12:45:29 +0200 (CEST)
Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1])
 by mail.ijs.si (Postfix) with ESMTP;
 Thu, 10 Jul 2014 12:45:29 +0200 (CEST)
Received: from [92.244.73.132] (vpn004.ijs.si [92.244.73.132])
 (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 by mildred.ijs.si (Postfix) with ESMTPSA id 3h8DYj10CHz1L0;
 Thu, 10 Jul 2014 12:45:28 +0200 (CEST)
Message-ID: <53BE6EC5.3060605@ijs.si>
Date: Thu, 10 Jul 2014 12:45:25 +0200
From: Mark Martinec <Mark.Martinec+freebsd@ijs.si>
Organization: Jozef Stefan Institute
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: =?UTF-8?B?RXJtYWwgTHXDp2k=?= <eri@freebsd.org>
Subject: Re: Future of pf in FreeBSD ? - does it have one ?
References: <53BC717C.9080108@com.jkkn.dk>	<53BD38C4.4050100@ijs.si>
 <CAPBZQG0VsTEciw2rz+vAKMgcG8n4nqp7kKQRfSdx+fQ+2h_xbQ@mail.gmail.com>
In-Reply-To: <CAPBZQG0VsTEciw2rz+vAKMgcG8n4nqp7kKQRfSdx+fQ+2h_xbQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2014 10:45:40 -0000

On 2014-07-09 17:30, Ermal Luçi wrote:
> On Wed, Jul 9, 2014 at 2:42 PM, Mark Martinec
> <Mark.Martinec+freebsd@ijs.si> wrote:
>
>     On 2014-07-09 0:32, Kristian K. Nielsen wrote:
>         f) IPv6 support?- it seem to be more and more challenged in the
>         current
>         version of pf in FreeBSD and I am (as well as others)
>         introducing more
>         and more IPv6 in networks.
>         E.x. Bugs #179392, #172648, #130381, #127920 and more seriously
>         #124933,
>         which is the bug on not handling IPv6 fragments which have been open
>         since 2008 and where the workaround is necessity to leave an
>         open hole
>         in your firewall ruleset to allow all fragments. Occoring to
>         comment in
>         the bug, this have been long gone in OpenBSD.
>
>     The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us.
>     Besides the long-standing bugs (like: scrub reassemble tcp
>     breaks CRC on IPv6), the following stands out:
>
> Can you be a bit more verbose on this one?

http://www.freebsd.org/cgi/query-pr.cgi?pr=172648


>     - last time I looked, neither PF nor IPFW could be used on a
>     FreeBSD kernel built WITHOUT_INET. This means that features
>     like ssh-guard and per-application protection on a dedicated
>     IPv6-only host are not available
>
> I am not sure on the version in FreeBSD 10 but on FreeBSD 9 and before
> it should be possible to compile without INET afair!
> Which version of FreeBSD are you testing this on?

It compiles just fine, but can't be loaded or run.

If memory serves, pf kernel module loads fine but pfctl fails,
and the ipfw kernel module can't be loaded at all. Will need
to re-run this experiment to make sure, and will report back.

   Mark