Date: Thu, 24 Jul 2014 13:43:46 -0500 From: Mark Felder <feld@freebsd.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-current@freebsd.org, Allan Jude <allanjude@FreeBSD.org> Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <81B6EE28-692E-4AB4-A4EB-CC6338182D75@FreeBSD.org> In-Reply-To: <C8E4B902-6D98-4A3D-8D32-E72666900054@lists.zabbadoz.net> References: <201407231542.s6NFgX4M025370@slippy.cwsent.com> <50E4E363-B2C0-4ED7-A0C4-2D7C69FF15B2@lists.zabbadoz.net> <53D01DDD.8000806@freebsd.org> <C8E4B902-6D98-4A3D-8D32-E72666900054@lists.zabbadoz.net>
index | next in thread | previous in thread | raw e-mail
> On Jul 23, 2014, at 15:59, Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> wrote: > > There was (is?) another case that in certain situations with certain pf options IPv6/ULP packets would not pass or get corrupted. I think no one who experienced it never tracked it down to the code but I am sure there are PRs for this; best bet is that not all header sizes are equal and length/offsets into IPv6 packets are different to IPv4, especially when you scrub. > scrub reassemble tcp breaks all ipv6 tcp traffic since FreeBSD 9.0. Well, not entirely "breaks" but things seem to be going at a rate of a poor dialup connection. This is similar to what I've experienced with pf + tso on Xen. Related? Possibly! I'd hazard a guess the reassembling of tcp on IPv6 is breaking checksums? Upstream pf from OpenBSD has removed this feature entirely and (I believe) reworked their scrubbing, but I don't know the details. I can confirm that when reassemble tcp existed on OpenBSD it never broke traffic for me. Synproxy and IPv6 was also broken last I knew. I can't remember the symptoms, but it was probably "nothing works". I recall synproxy has always been one of those "you're gonna shoot your eye out kid" features, but some people have used it successfully.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81B6EE28-692E-4AB4-A4EB-CC6338182D75>