From owner-freebsd-current@FreeBSD.ORG  Wed Jul 23 20:59:48 2014
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C2EAE1B0;
 Wed, 23 Jul 2014 20:59:48 +0000 (UTC)
Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7560629A5;
 Wed, 23 Jul 2014 20:59:48 +0000 (UTC)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.sbone.de (Postfix) with ESMTPS id DB01C25D3871;
 Wed, 23 Jul 2014 20:59:44 +0000 (UTC)
Received: from content-filter.sbone.de (content-filter.sbone.de
 [IPv6:fde9:577b:c1a9:31::2013:2742])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPS id 0EDB0C23E85;
 Wed, 23 Jul 2014 20:59:44 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587])
 by content-filter.sbone.de (content-filter.sbone.de
 [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024)
 with ESMTP id D0mrCKRinba8; Wed, 23 Jul 2014 20:59:42 +0000 (UTC)
Received: from [IPv6:fde9:577b:c1a9:4410:84e6:ae89:68a6:d418] (unknown
 [IPv6:fde9:577b:c1a9:4410:84e6:ae89:68a6:d418])
 (using TLSv1 with cipher AES128-SHA (128/128 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPSA id 5BEE6C23E65;
 Wed, 23 Jul 2014 20:59:40 +0000 (UTC)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ?
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
In-Reply-To: <53D01DDD.8000806@freebsd.org>
Date: Wed, 23 Jul 2014 20:59:19 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <C8E4B902-6D98-4A3D-8D32-E72666900054@lists.zabbadoz.net>
References: <201407231542.s6NFgX4M025370@slippy.cwsent.com>
 <50E4E363-B2C0-4ED7-A0C4-2D7C69FF15B2@lists.zabbadoz.net>
 <53D01DDD.8000806@freebsd.org>
To: Allan Jude <allanjude@freebsd.org>
X-Mailer: Apple Mail (2.1878.6)
Cc: freebsd-current@freebsd.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 20:59:48 -0000


On 23 Jul 2014, at 20:41 , Allan Jude <allanjude@freebsd.org> wrote:

> On 2014-07-23 16:38, Bjoern A. Zeeb wrote:
>> On 23 Jul 2014, at 15:42 , Cy Schubert <Cy.Schubert@komquats.com> =
wrote:
>>=20
>>> Taking this discussion slightly sideways but touching on this thread =
a=20
>>> little, each of our packet filters will need nat66 support too. Pf =
doesn't=20
>>> support it for sure. I've been told that ipfw may and I suspect =
ipfilter=20
>>> doesn't as it was on Darren's todo list from 2009.
>>=20
>> our pf does support IPv6 prefix rewriting quite nicely and has for =
years.
>=20
> Bjoern: What IPv6 stuff does our pf not do well?

I think the most pressing, as Peter said, is fragment handling, though a =
good fraction of major content providers seems to do mss clamping to a =
min IPv6 mtu on IPv6 and drop fragments at the edge (not much different =
to IPv4, which makes you wonder?).    Whoever is clever will think of =
how many different queueing and fragment handling implementations we =
need in the kernel, and how often we have to do it on an end node that =
might also run a firewall,  pick one we have, turn it into a library =
thing, apply it to all places, and then add the latest IETF suggestions =
on top of it.

There was (is?) another case that in certain situations with certain pf =
options IPv6/ULP packets would not pass or get corrupted.  I think no =
one who experienced it never tracked it down to the code but I am sure =
there are PRs for this;  best bet is that not all header sizes are equal =
and length/offsets into IPv6 packets are different to IPv4, especially =
when you scrub.

Apart from that my knowledge of pf is diminishing.

=97=20
Bjoern A. Zeeb             "Come on. Learn, goddamn it.", WarGames, 1983