From owner-freebsd-current@FreeBSD.ORG Thu Jul 24 18:43:57 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A5A41251; Thu, 24 Jul 2014 18:43:57 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 28AB429FC; Thu, 24 Jul 2014 18:43:57 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 6e206dd1; Thu, 24 Jul 2014 13:43:48 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=feld.me; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:sender; s= blargle2; bh=TxRJSl326xASH+wccfK5gqXCgn0=; b=EsMxt5PW2Ze+gomW+FO PhAlkylDfiXsmPlloRPHdRLkyGWbBzAUsBR2AxNKRZcEDuu9q3yuQfUT7rZgMm7n TfGmn3u1itojjhaOqpFy5H/rZb/j2LWRik2NZaE0SZBCsWTGShoWPyDX367nw+/N lydPYhyeatQeH36jWE2zQKMF7HxmH4xjWz2M2n8rVr8JPbkRtpjSofR8VkDNbHf8 NBnBhcr5v/LtNW8/LxhsnI7QNtjldliG6a8hBui0bLdSpZjgnLGlGPPehDJsL5qV OpxpAB+rPMkq0M0YmNzSjuPCCK9kWhMnuyZBFwTU3z/vLgBLMPEpUvKNg9kwfeKD Pkw== DomainKey-Signature: a=rsa-sha1; c=nofws; d=feld.me; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:sender; q= dns; s=blargle2; b=fmj3zVZUkalxz/O+Ym5CHDJUAd3yuohhBjcLIm8sU1yXe BVkNiOasRjrVmeepJ8bl4XJHsusEdrqUITnJaDvgc9i2hZ2eWdVYLCv9bs5DYeQ/ zBms2SJ6bGs3RogTRQD8thhvPUd5pu9iGSMz7Y1ps4JIPODBnFUdprCgm3MMS1gi x6aI0VsDHwSJBfAcImS6Pa2Swcg4ICAVFs5qLliWJQqVWh6e2444EYG6AAKVylOt 0EYdR5yaBa3r3CFU20myGQ3KuOy3PdzWcdM3V9nWwXkd2WD4zvNP9u+INaFS2iov Fh0BsAzIV1hAsZUhvbKs+6MsOUcJzun8GjgxzKQgQ== Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id 7cb42f64; Thu, 24 Jul 2014 13:43:48 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpa id 1406227427-78987-78985/5/4; Thu, 24 Jul 2014 18:43:47 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? From: Mark Felder In-Reply-To: Date: Thu, 24 Jul 2014 13:43:46 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <81B6EE28-692E-4AB4-A4EB-CC6338182D75@FreeBSD.org> References: <201407231542.s6NFgX4M025370@slippy.cwsent.com> <50E4E363-B2C0-4ED7-A0C4-2D7C69FF15B2@lists.zabbadoz.net> <53D01DDD.8000806@freebsd.org> To: "Bjoern A. Zeeb" X-Mailer: Apple Mail (2.1971.5) Sender: feld@feld.me Cc: freebsd-current@freebsd.org, Allan Jude X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2014 18:43:57 -0000 > On Jul 23, 2014, at 15:59, Bjoern A. Zeeb wrote: >=20 > There was (is?) another case that in certain situations with certain = pf options IPv6/ULP packets would not pass or get corrupted. I think no = one who experienced it never tracked it down to the code but I am sure = there are PRs for this; best bet is that not all header sizes are equal = and length/offsets into IPv6 packets are different to IPv4, especially = when you scrub. >=20 scrub reassemble tcp breaks all ipv6 tcp traffic since FreeBSD 9.0. = Well, not entirely "breaks" but things seem to be going at a rate of a = poor dialup connection. This is similar to what I've experienced with pf = + tso on Xen. Related? Possibly! I'd hazard a guess the reassembling of = tcp on IPv6 is breaking checksums? Upstream pf from OpenBSD has removed this feature entirely and (I = believe) reworked their scrubbing, but I don't know the details. I can = confirm that when reassemble tcp existed on OpenBSD it never broke = traffic for me. Synproxy and IPv6 was also broken last I knew. I can't remember the = symptoms, but it was probably "nothing works". I recall synproxy has = always been one of those "you're gonna shoot your eye out kid" features, = but some people have used it successfully.