From owner-freebsd-net@FreeBSD.ORG  Sat Apr 27 15:56:22 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 44D8C79
 for <freebsd-net@freebsd.org>; Sat, 27 Apr 2013 15:56:22 +0000 (UTC)
 (envelope-from bredehorn@gmx.de)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
 by mx1.freebsd.org (Postfix) with ESMTP id D90591F30
 for <freebsd-net@freebsd.org>; Sat, 27 Apr 2013 15:56:21 +0000 (UTC)
Received: from mailout-de.gmx.net ([10.1.76.24]) by mrigmx.server.lan
 (mrigmx001) with ESMTP (Nemesis) id 0LjP2f-1V3GFH3VD5-00da3N for
 <freebsd-net@FreeBSD.org>; Sat, 27 Apr 2013 17:56:20 +0200
Received: (qmail invoked by alias); 27 Apr 2013 15:56:20 -0000
Received: from p57BD33BB.dip0.t-ipconnect.de (EHLO [192.168.178.30])
 [87.189.51.187]
 by mail.gmx.net (mp024) with SMTP; 27 Apr 2013 17:56:20 +0200
X-Authenticated: #168415
X-Provags-ID: V01U2FsdGVkX19CzgdFU+pC/t5qEsfMJib4rDaTRJq0/EquQxq6Nu
 AQta5dxXz9KiX1
Message-ID: <517BF523.6010804@gmx.de>
Date: Sat, 27 Apr 2013 17:56:19 +0200
From: Rainer Bredehorn <Bredehorn@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
 rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Jason Fesler <jfesler@gigo.com>, freebsd-net@FreeBSD.org
Subject: Re: PF IPv6 fragment support
References: <trinity-75812dac-8a1d-46c5-90ed-128ee2e785cc-1366357308687@3capp-gmx-bs49>
 <trinity-ec81fa0c-6719-4f11-a69f-f1230649794e-1366964770102@3capp-gmx-bs46>
 <CADCiYHAQ5zbUMb=uAyJQGzvyCM=wCKOL9m0DqWzRM5Zb5+kyCg@mail.gmail.com>
In-Reply-To: <CADCiYHAQ5zbUMb=uAyJQGzvyCM=wCKOL9m0DqWzRM5Zb5+kyCg@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Apr 2013 15:56:22 -0000

Hi Jason!

Am 27.04.2013 03:39, schrieb Jason Fesler:
> On Fri, Apr 26, 2013 at 1:26 AM, Rainer Bredehorn <Bredehorn@gmx.de> wrote:
>> I've modified the kernel PF implementation to pass IPv6 fragments.
>> The first fragment is handled by the PF rules of course ignoring possible checksums.
> 
> Are you checking L4 before passing/not passing?  What if the L4 header
> is fragmented?

Yes, when the L4 header is present it can be checked statefully. A
fragment offset of zero indicates the precence off the upper layer header.
A fragmented upper layer header is a problem. I think that could only be
solved when the packets are reassembled.
In my case it is not a big problem because I did some other modification
like limiting the allowed number of extension headers.
So a fragmented upper layer header should be a rare case.

>> All other fragments are passed by PF to the IP stack.
>> This can be done state-full but reassembling fragments is not supported.
> 
> Reassembling packets will allow full L4 checking.

Correct but it didn't work for IPv6 in FreeBSD 8.3.
Reassembling is not my favorite. I don't want to buffer network packets
due to performance reasons.

Rainer.