Date: Sat, 20 Feb 2016 06:20:31 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207363] pf drops fragmented ICMPv6 Message-ID: <bug-207363-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207363 Bug ID: 207363 Summary: pf drops fragmented ICMPv6 Product: Base System Version: 10.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: freebsd.bugs@gmail.com pf drops fragmented ICMPv6 despite being configured to allow ipv6-icmp. This is consistently reproducible in 9.3-RELEASE and 10.3-BETA2. ping6 to www.freebsd.org works when there is no fragmentation: root@freebsd10:~ # ping6 -c3 -s1000 www.freebsd.org PING6(1048=40+8+1000 bytes) 2001:44b8:201:5801:20c:29ff:fe9a:dd8b --> 2001:1900:2254:206a::50:0 1008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=0 hlim=56 time=189.932 ms 1008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=1 hlim=56 time=192.217 ms 1008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=2 hlim=56 time=191.740 ms --- wfe0.ysv.freebsd.org ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 189.932/191.296/192.217/0.984 ms However replies and requests are dropped by pf when they are fragmented: root@freebsd10:~ # ping6 -c3 -s2000 www.freebsd.org PING6(2048=40+8+2000 bytes) 2001:44b8:201:5801:20c:29ff:fe9a:dd8b --> 2001:1900:2254:206a::50:0 --- wfe0.ysv.freebsd.org ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss root@freebsd10:~ # tcpdump -r /var/log/pflog 16:12:01.910795 IP6 wfe0.ysv.freebsd.org > 2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (0|1440) ICMP6, echo reply[|icmp6] 16:12:01.911607 IP6 wfe0.ysv.freebsd.org > 2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (1440|568) 16:12:02.950043 IP6 wfe0.ysv.freebsd.org > 2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (0|1440) ICMP6, echo reply[|icmp6] 16:12:02.950050 IP6 wfe0.ysv.freebsd.org > 2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (1440|568) 16:12:03.995892 IP6 wfe0.ysv.freebsd.org > 2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (0|1440) ICMP6, echo reply[|icmp6] 16:12:03.996569 IP6 wfe0.ysv.freebsd.org > 2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (1440|568) Disabling pf allows the ping to work again: root@freebsd10:~ # pfctl -d No ALTQ support in kernel ALTQ related functions disabled pf disabled root@freebsd10:~ # ping6 -c3 -s2000 www.freebsd.org PING6(2048=40+8+2000 bytes) 2001:44b8:201:5801:20c:29ff:fe9a:dd8b --> 2001:1900:2254:206a::50:0 2008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=0 hlim=54 time=204.390 ms 2008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=1 hlim=54 time=200.665 ms 2008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=2 hlim=54 time=202.051 ms --- wfe0.ysv.freebsd.org ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 200.665/202.369/204.390/1.537 ms root@freebsd10:~ # cat /etc/pf.conf set skip on lo pass out quick block in log pass in quick inet6 proto ipv6-icmp pass in quick inet6 proto tcp to port ssh This may be related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933 -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207363-8>