From owner-freebsd-pf@FreeBSD.ORG Tue Jun 7 21:33:34 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D49B106566C; Tue, 7 Jun 2011 21:33:34 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 354018FC1A; Tue, 7 Jun 2011 21:33:34 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 24E7125D389C; Tue, 7 Jun 2011 21:33:33 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 6497E15A1402; Tue, 7 Jun 2011 21:33:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id ewhoX9rp9WUO; Tue, 7 Jun 2011 21:33:31 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 134E615A1401; Tue, 7 Jun 2011 21:33:30 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: Date: Tue, 7 Jun 2011 21:33:30 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <00EBAA07-0E65-49D0-A281-FF98DF6C98BA@lists.zabbadoz.net> References: <20110607195057.GA37735@in-addr.com> To: Michael Proto X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 day, PF and IPv6 fragments X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2011 21:33:34 -0000 On Jun 7, 2011, at 9:03 PM, Michael Proto wrote: > On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer = wrote: >> Hi, >>=20 >> I noticed after running test-ipv6.com at home that I was getting >>=20 >> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: = 2001:4998:0:6::11 > : frag (0|1424) 80 > 62594: . 0:1392(1392) = ack 1 win 8211 >> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: = 2001:4998:0:6::11 > : frag (1424|16) >>=20 >> on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says >>=20 >> Currently, only IPv4 fragments are supported and IPv6 fragments = are >> blocked unconditionally. >>=20 >> Is this correct? If so, what is the correct way of getting IPv6 = fragmented >> packets through a pf firewall, or which version of FreeBSD introduces = a PF >> version that natively handles IPv6 fragments? >>=20 >> Thanks, >>=20 >> Gary >=20 > Unless I'm mistaken, there shouldn't be any fragments for IPv6, at > least nothing traversing IPv6-capable routers. MTU path-discovery is > supposed to take care of that and any fragmentation is supposed to be > done on the sending host once path-discovery determines the correct > MTU. >=20 > http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation Whatever they say and what you read. There are fragments in IPv6 as well. Indeed none fragments the packet on the path but if I am going to write 32k of data to UDP you'll see a lot of fragments no matter what. Actually this is the most common frag6 source I am seeing -- large DNS replies due to DNSsec, etc. /bz --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.