From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 9 20:33:15 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BAE91065670 for ; Thu, 9 Feb 2012 20:33:15 +0000 (UTC) (envelope-from public@macfreek.nl) Received: from aphrodite.kinkhorst.nl (aphrodite.kinkhorst.nl [IPv6:2001:888:214f::f4]) by mx1.freebsd.org (Postfix) with ESMTP id D3BA88FC14 for ; Thu, 9 Feb 2012 20:33:14 +0000 (UTC) Received: from lampje.macfreek.nl (unknown [145.99.1.68]) by aphrodite.kinkhorst.nl (Postfix) with ESMTPSA id 037801760AD for ; Thu, 9 Feb 2012 21:33:12 +0100 (CET) Message-ID: <4F342D87.5060208@macfreek.nl> Date: Thu, 09 Feb 2012 21:33:11 +0100 From: Freek Dijkstra User-Agent: Postbox 2.1.4 (Macintosh/20110308) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: IPv6 fragments X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2012 20:33:15 -0000 Hi all, I'm having trouble configuring ipfw to handle fragmented IPv6 packets. To be honest, I thought that IPv6 would not fragment packets, but as you see below, I'm receiving fragmented IPv6 UDP packets over my SixXS tunnel. In this case responses to my DNS server. My initial idea was to reassamble these packets with: sysctl net.inet.ip.fw.one_pass=0 ipfw add 100 reass ipv6 from any to any in While reass works for IPv4, it is broken in IPv6. It bricked my device... I presume this is the same problem as reported earlier on this list: http://lists.freebsd.org/pipermail/freebsd-ipfw/2011-October/004918.html (I'm running FreeBSD 9.0-RELEASE). My second idea was to simply allow all fragments, and let the TCP stack figure it out. I used the following ruleset: ipfw add 1020 count log ipv6 from any to me recv tun0 frag ipfw add 1030 deny log ipv6 from any to me recv tun0 Unfortunately, this still fails. Below is output of tcpdump and the ipfw log. As you can see rule 1020 is never matched. Did I make a mistake in the above settings? Why is rule 1020 never matched? Is there a bug report available for the reassambly bug, so I can track it? If not, where can I report it (presuming it is a bug of course)? Is there another way to handle/allowing IPv6 fragments with ipfw (other than 'allow ipv6 from any to any')? I briefly tinkered with the possibility to let ipfw also reply with a ICMPv6:2.0 (Packet Too Big) upon receiving a fragment, but (a) I haven't figured how to do that and (b) I rather follow the principle 'be liberal what you accept'. Any help is highly appreciated! Regards, Freek Dijkstra - 16:24:03.352680 IP6 2001:610:767:a3e6::1.51846 > 2001:500:2c::254.53: 54564% [1au] AAAA? ns-ext.isc.org. (43) 16:24:03.381763 IP6 2001:500:2c::254 > 2001:610:767:a3e6::1: frag (1448|198) 16:24:03: ipfw: 1030 Deny UDP [2001:500:2c::254] [2001:610:767:a3e6::1] in via tun0 (frag 02233bd1:158@11584) - 16:24:03.520675 IP6 2001:500:71::30 > 2001:610:767:a3e6::1: frag (0|1232) 53 > 63213: 55996*- 2/5/13 AAAA 2001:4f8:0:2::13, RRSIG (1224) 16:24:03.521271 IP6 2001:500:71::30 > 2001:610:767:a3e6::1: frag (1232|414) 16:24:03: ipfw: 1030 Deny UDP [2001:500:71::30] [2001:610:767:a3e6::1] in via tun0 (frag 0aff76e2:374@9856) - 16:25:52.678106 IP6 2001:610:767:a3e6::1.46950 > 2001:4f8:0:2::19.53: 23941% [1au] AAAA? lists.isc.org. (42) 16:25:52.852379 IP6 2001:4f8:0:2::19 > 2001:610:767:a3e6::1: frag (1232|413) 16:25:52.853875 IP6 2001:4f8:0:2::19 > 2001:610:767:a3e6::1: frag (0|1232) 53 > 46950: 23941*- 2/5/13 AAAA 2001:4f8:0:2::23, RRSIG (1224) 16:25:52: ipfw: 1030 Deny UDP [2001:4f8:0:2::19] [2001:610:767:a3e6::1] in via tun0 (frag 088c183c:373@9856) 16:25:53.055634 IP6 2001:610:767:a3e6::1.43975 > 2001:4f8:0:2::19.53: 4754% [1au] AAAA? lists.isc.org. (42) 16:25:53.232676 IP6 2001:4f8:0:2::19.53 > 2001:610:767:a3e6::1.43975: 4754*- 2/5/10 AAAA 2001:4f8:0:2::23, RRSIG (1136) 16:26:52.829419 IP6 2001:610:767:a3e6::1 > 2001:4f8:0:2::19: ICMP6, time exceeded in-transit (reassembly), length 1240 -