From owner-freebsd-bugs@freebsd.org Sun Sep 1 09:32:06 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 16C2AD4E9B for ; Sun, 1 Sep 2019 09:32:06 +0000 (UTC) (envelope-from laszlo@karolyi.hu) Received: from ksol.io (mail.ksol.io [IPv6:2a01:4f8:13a:509::22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46Lnzm0mxDz46mP; Sun, 1 Sep 2019 09:32:03 +0000 (UTC) (envelope-from laszlo@karolyi.hu) Received: from [192.168.1.154] (x4e375427.dyn.telefonica.de [78.55.84.39]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: laszlo@karolyi.hu) by ksol.io (Postfix) with ESMTPSA id 631355434; Sun, 1 Sep 2019 11:32:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=karolyi.hu; s=default; t=1567330321; bh=ZqGylGF3TWXtCVCM+vNCHIHmFfc+MYhAr+LYVavOUoE=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=DF7JPTJpYY7lFMmp6mCTNHLhhtV/U0sA2f/+EqVqECGlTf1OWI4PfFvtFYRoZGGUN G73YoMFkX6f/oYBX9CDgjiOiW5Wrp1epLiElC9U3nUo0kakcOiIknFs2GVwF6UKgDN BP3I0jLNOsYJHijFJhCmgTijdZ3DM2SO4um3kgZalRdCo4g1BgsAeQ1kurFpchy5DV 0wqGZDrEf1+2wZvXhCPQJ21JArQpFBE87NtHZKAh37pi4seLfCbEVSINVQPg+NXTr2 xvr4jzY80p7ejFMef7eOjbNSbVGUPiL1kVMSk0M+LNP2tjhPuhkYq+yWj/SCMAaBkO VbgpfP+AXH59Q== Subject: Re: PF and IPv6 UDP fragmented packets To: Kristof Provost Cc: freebsd-bugs@freebsd.org References: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> <20190831211034.GB8888@vega.codepro.be> From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= Autocrypt: addr=laszlo@karolyi.hu; prefer-encrypt=mutual; keydata= mQINBFkmCgUBEADDLqo9DxWDSivEEmI/bPwwT0nAzUH2sNfVMroOr5E999dkiAiXV0N6Yk1f GjqX6oZcQNRK4dSds6T7RjLwkyUtomzt0YOJdUsBB6Z067YoPBGl2N/TBd9KKVxPeo6Am1ct jmoQjqCuXPHdqht+At43Kko4/oJwI452n8uv+VpZNk3pIp38bvXvYDSRdrFHogfDw+qCvCDg LKLvClmneWe0ZEScdAdv+PHJAIqki3zOrOJtuggVuGv4jCrhxQa8fLI6DDqNuAR3+uiy/XUw P1WSEnJxGlGlJijqkXy9C+6R5w1Tiv2/K9QSXBeBbJE30FPQGOde4Qb7Klldgh2TjOIQ3WdU 8ni+0Dft/jpR9uQq/g1m/yDZfizBlFD/8Lj9ZaZTUm8AnSuI7oyYQrUBvqbto/ylM2oCKFlb swnpI7dndGL5Ao9QJ1QrBSDxqdoz4l8I+GZAgP5jMHrwGhv90oIVn3WgTu/vta5o8k5ruaR2 SiVDB380CZsAHkRx05tDzctLUCwZ+RO8LdOMSf5nUfv+w7EGEXvFJdgBIVgwMeZWXnBmsnzE B7iW/rtQR3eM0IV+ojzkmS8AQTricmuACqUKq0AAILaVmQ3zIWETcGCRGjyQ7KcuJTZ95E21 vKZQrgAk1/Sc1xnKEpFNfsrraCzVHiey3SUJmke8HNQ20RZ/KQARAQABtCVMw6FzemzDsyBL w6Fyb2x5aSA8bGFzemxvQGthcm9seWkuaHU+iQJZBBMBCABDAhsDBwsJCAcDAgEGFQgCCQoL BBYCAwECHgECF4ACGQEWIQQkMGzVGjgidiCL+0ItyvJeVXNb/gUCWwqLJAUJBagwGwAKCRAt yvJeVXNb/mo3D/95dpQVOvqlAFJOct8H/IHlV+2415AGCpfYCyFPM1ygt9W3SevCJE45TSXC LblgkrCMqZaoSx4Q2FT8CezspdPxpSPS160PYqujZdow+epnijjwLV89uYVD2OQ1LJVvZKwJ P+szTGh3utyAfiErRdgYLVpFJY6e8iY3kp6C/XX1vIqgl4FDsNYjUtn23Ffefqac7eWhrDGC WJov2uyrXNMoxKphYXHRbkKbUaUpi2/8NNzjUN04NJS13x4q5AIg/Nj407l6gk7ePvRjqnzO dt2Hb3KA77qeLgneNDUPqF3ho2WWJdMkLe6YGFykk8dvOTOnTycMwFnnhLKfCAZiSbwq9pht gy7e5SIblWemLMBvm21Hg1oRS6ROdhBsnyCw00qAmCds+Lc896aOyf6Q0Tml9Rq60QpanYoR /6EWbJ+/eNoLPa61jvdRvSoefqJ6GFRftHncYLy0ktoW+DUImtMDbIpvxrEYuvOGCX7mV6fd 7VDuDNzo4gISyycz9DouZKcr+Eyo2PGWUAZ+bz5eWfWrcx+9vC/NMECXSUPFFVzPkf894dZx N6ThgY4aAgOG0VxwVnBV2a3iyRDxOGbzNE4gWtrbxgKYU+aMiT6OUpPkKw1dAxeQHL8ZYtpK TU5K3Q/5vaHgILym/kkZf+kHTImrHsWpLkEz0zKooHv27g2EXLkCDQRZJgoFARAAxQ1swbfe UbAZNEf4a5INynrnAWNw/KtKCbUqHvH7zglejQMFORfX1PMP92B66YnJu5vX+axr6Fmcom7q /xQqeaLV3QScloolKkGGX1mxLJs49wD/DTRLsi5tq1yhP8JZiTSUHXdt7pYnG/h1OZRtWPfe NGL06bRdhpS0pFGOU1+WLCCHx8hy+BOcP1DfXNgEA2RhGhpB+AK80VLF84fCQ+HtajU1LNEo E72fE/3lc4YvpynvaxmuDNjeG6y1sAVj6zASLUPPE7VxorOIh65B8xz4zsmvMXF2duUTacPC eFoEr2xcWssxm3K+Nobt4PzbN4+H/3vAhH8XN1BVYfS4m8ndH9nr38ZrfrjCgdg9opi8gEGj bXbuhnkTzGJbu27tK+RE0sBRbguUhmOprBydqOR5mVZTUnuab/WZCNn2Re/zbC0hDW7xYfBi LhomQWfaGl5Af0vLRvudae9oLU9dTTysyghpsgNjaS40mOBy7oLwsnnHNfctdhLoXN9LVHu2 3UYoySB/apJV7p33S1BD4OclW9Mxplctoq9BZpFu3hSo2NmCpY2eD2V0KDgr04XL9Atdl2VU pw+s0OT79EVCjcOyPCdneUXPyHsA0CJ0QDcWI0cN0bi7CSHJL59D3TRbjZFMJ/NnMQ/N6CqO cxYo7NZWN+APLfIMbiLsypMFMbcAEQEAAYkCPAQYAQgAJgIbDBYhBCQwbNUaOCJ2IIv7Qi3K 8l5Vc1v+BQJbJAbQBQkFqKjLAAoJEC3K8l5Vc1v+EB4P/ictIUg64TJvmEb6JDTbuVE9p3oa UuSsAuvqM68WGVfc5ZUe/3VSyNCOfP2bL9pCyHpqewL0uSHi89K26u3VNrNaU1jsrh8SNJG8 vrJ7eUmuBH1QoEf7u6f/mjzBODLVYnq2BddPMLKtfgNNTM6HCrX4qRlwj6qbRRbsGuBZPIRQ C04u6CCXseI1z6cKWS8DcyWRLfCk3K1aYzP39xTBBHNX7TV9Bb/FbogUxjQK3D3USxmKqBlG 20FUYRX/qTwxxh/Tvme3eUV58amkgSpoCW4ftjM+ieAnhx0zzmFc1MaegiRSovndTux/P10M 7mWV9NeIWP1YGgd38lf2W+RYJt1K0KOhZXLTAuSXLvtz+twSZA/qoPpGcYR+NZzHJPCvfAh9 pQQGkBrpCgSmm2xkyIbP53l4W7WWMn92mDEzHQLsn59Lb9xsFCOIrVZxo4DgS01bUvhfEG30 Pv4KaSbVTwO4oLKmUj+0gjy4i7Xj9ENY4Yyxe94joXda6mzXKNrRk59BZgfaFG1zj+FHLbKT UdpgBdlYCOlgODL9KateS5UN0cu5oYdl45kheLPYKhGs9knZzpuHJX1VXiRzQWTNLhH7hwYP t6DR/2u8b8M+1Qw/RkY6h1A9VR8eMAGbHsN8818AzleZyfaoYp/n1fVujb5gXoG8XlWLboVr ia1euoIR Message-ID: Date: Sun, 1 Sep 2019 11:31:57 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20190831211034.GB8888@vega.codepro.be> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mORV7xuc4ryuU35ecU10t3r6tVAvaZ2hy" X-Rspamd-Queue-Id: 46Lnzm0mxDz46mP X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=karolyi.hu header.s=default header.b=DF7JPTJp; dmarc=none; spf=none (mx1.freebsd.org: domain of laszlo@karolyi.hu has no SPF policy when checking 2a01:4f8:13a:509::22) smtp.mailfrom=laszlo@karolyi.hu X-Spamd-Result: default: False [-5.86 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[karolyi.hu:s=default]; RECEIVED_SPAMHAUS_PBL(0.00)[39.84.55.78.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,multipart/alternative,text/plain]; DMARC_NA(0.00)[karolyi.hu]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; DKIM_TRACE(0.00)[karolyi.hu:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.71)[-0.705,0]; R_SPF_NA(0.00)[]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:~,5:~]; IP_SCORE(-0.76)[ipnet: 2a01:4f8::/29(-1.98), asn: 24940(-1.81), country: DE(-0.01)]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Sep 2019 09:32:06 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mORV7xuc4ryuU35ecU10t3r6tVAvaZ2hy Content-Type: multipart/mixed; boundary="iCGs5ELKYY0sDEGvEmsKzRkEprWtA5uMS"; protected-headers="v1" From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= To: Kristof Provost Cc: freebsd-bugs@freebsd.org Message-ID: Subject: Re: PF and IPv6 UDP fragmented packets References: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> <20190831211034.GB8888@vega.codepro.be> In-Reply-To: <20190831211034.GB8888@vega.codepro.be> --iCGs5ELKYY0sDEGvEmsKzRkEprWtA5uMS Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, can I get an explanation/argument as to why, and what implications it has when I don't enable it? Cheers, -- L=C3=A1szl=C3=B3 K=C3=A1rolyi http://linkedin.com/in/karolyi On 2019-08-31 23:10, Kristof Provost wrote: > On 2019-08-31 22:42:59 (+0200), L=C3=A1szl=C3=B3 K=C3=A1rolyi wrote: >> Hey, >> >> I've installed unbound into a jail to use it as a nameserver. After >> setting up PF to allow UDP fragments to the jail's IPv6 address, I sti= ll >> saw PF dropping the UDP fragment packages arriving to and from my jail= =2E >> According to the pf.conf readme, the IP header of the fragmented packe= ts >> still contain the protocol type (TCP/UDP), but not the port number. I >> hope it's not a documentation bug. >> > You really, really want to have pf reassemble packets prior to > filtering. > Use 'scrub all fragment reassemble'. > > Regards, > Kristof --iCGs5ELKYY0sDEGvEmsKzRkEprWtA5uMS-- --mORV7xuc4ryuU35ecU10t3r6tVAvaZ2hy Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEJDBs1Ro4InYgi/tCLcryXlVzW/4FAl1rkA4ACgkQLcryXlVz W/42RBAAgyc2QjnCfu6XYaz7hACtLX1jQy0dCoLjMPaY/stZWMjRQWfSEtjNJmPs bT0YB51N9w3KBfAQUP+kScYB0S0N1GdoQFlnx87D7VPMQBC0DEARms/TJJZQHq4K mRy9VYGmHbqRbVFrtq5pMePQ3Gf0xJvinz1T9qIhB3goQjYnns+vlQht7bWVKvNW 3RWxfnDi8qGeiNAGeJGu0/Duk81J/9pzb4xtlP3q5JdipkHKKZJ0qSB2JSozaILe wBcUQofjiWnRa8KUB2oalUUGrQoumX1Tkg3xmDiDXjLuoCN/9dRUjagaHYcPpCY8 rwx+xJihEUAExIOb2xrJur409w3UldDwpbsg0jXkAZm2DaAQe2rwgBnsZypHZ49X fzsWFx/F/Y4wQsC58u4JHqsDeQwK5LlU2xjrT6JAmDmfnxZSeN49HCBDrQNggPGX qDkY8e3dXZ5wNi1nZPzlISzBBqTp3mkHkM0GmarQ0xXDuPcdV7NuU/csSY/B9OJ9 FwPCL2FM/E+QVR9U2GFOvQPPxve1C9kpQq6Kh7PtiKOdvTRgsLtDTZAXFC3dShKx 1x6hBxYM09oiSEL8uzGee590ZlyFoort7EXKMUVuQ8ZMJU3cAiYcK1YSh7PEeIs/ Up8+oIWcru9YsAB1CBrmMjQ4W1jprxFTO8ZXBSw8TyuxJZsoBsE= =xTAF -----END PGP SIGNATURE----- --mORV7xuc4ryuU35ecU10t3r6tVAvaZ2hy--