From owner-freebsd-bugs@freebsd.org Sat Aug 31 21:10:44 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3291DDC1FE for ; Sat, 31 Aug 2019 21:10:44 +0000 (UTC) (envelope-from SRS0=Qd1b=W3=vega.codepro.be=kp@codepro.be) Received: from mercury.codepro.be (mercury.codepro.be [IPv6:2001:4b98:dc0:41:216:3eff:fe31:eda8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "monitoring.codepro.be", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46LTXM2jYvz3PTm for ; Sat, 31 Aug 2019 21:10:42 +0000 (UTC) (envelope-from SRS0=Qd1b=W3=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) by mercury.codepro.be (Postfix) with ESMTPS id 198419048A; Sat, 31 Aug 2019 21:10:06 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 6C9083B2ED; Sat, 31 Aug 2019 23:10:34 +0200 (CEST) Received: by vega.codepro.be (Postfix, from userid 1001) id 63E001D3A5; Sat, 31 Aug 2019 23:10:34 +0200 (CEST) Date: Sat, 31 Aug 2019 23:10:34 +0200 From: Kristof Provost To: =?utf-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= Cc: freebsd-bugs@freebsd.org Subject: Re: PF and IPv6 UDP fragmented packets Message-ID: <20190831211034.GB8888@vega.codepro.be> References: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> X-Checked-By-NSA: Probably User-Agent: Mutt/1.12.1 (2019-06-15) X-Rspamd-Queue-Id: 46LTXM2jYvz3PTm X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of SRS0=Qd1b=W3=vega.codepro.be=kp@codepro.be designates 2001:4b98:dc0:41:216:3eff:fe31:eda8 as permitted sender) smtp.mailfrom=SRS0=Qd1b=W3=vega.codepro.be=kp@codepro.be X-Spamd-Result: default: False [-2.98 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:4b98:dc0:41:216:3eff:fe31:eda8]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.79)[-0.785,0]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-0.20)[asn: 29169(-1.00), country: FR(-0.00)]; FORGED_SENDER(0.30)[kp@freebsd.org,SRS0=Qd1b=W3=vega.codepro.be=kp@codepro.be]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:29169, ipnet:2001:4b98::/32, country:FR]; FROM_NEQ_ENVFROM(0.00)[kp@freebsd.org, SRS0=Qd1b=W3=vega.codepro.be=kp@codepro.be] X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2019 21:10:44 -0000 On 2019-08-31 22:42:59 (+0200), László Károlyi wrote: > Hey, > > I've installed unbound into a jail to use it as a nameserver. After > setting up PF to allow UDP fragments to the jail's IPv6 address, I still > saw PF dropping the UDP fragment packages arriving to and from my jail. > According to the pf.conf readme, the IP header of the fragmented packets > still contain the protocol type (TCP/UDP), but not the port number. I > hope it's not a documentation bug. > You really, really want to have pf reassemble packets prior to filtering. Use 'scrub all fragment reassemble'. Regards, Kristof