Date: Wed, 09 Jul 2014 14:42:44 +0200 From: Mark Martinec <Mark.Martinec+freebsd@ijs.si> To: freebsd-pf@FreeBSD.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? Message-ID: <53BD38C4.4050100@ijs.si> In-Reply-To: <53BC717C.9080108@com.jkkn.dk> References: <53BC717C.9080108@com.jkkn.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-07-09 0:32, Kristian K. Nielsen wrote: > f) IPv6 support?- it seem to be more and more challenged in the current > version of pf in FreeBSD and I am (as well as others) introducing more > and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, > which is the bug on not handling IPv6 fragments which have been open > since 2008 and where the workaround is necessity to leave an open hole > in your firewall ruleset to allow all fragments. Occoring to comment in > the bug, this have been long gone in OpenBSD. The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. Besides the long-standing bugs (like: scrub reassemble tcp breaks CRC on IPv6), the following stands out: - last time I looked, neither PF nor IPFW could be used on a FreeBSD kernel built WITHOUT_INET. This means that features like ssh-guard and per-application protection on a dedicated IPv6-only host are not available - no support for IPv6 prefix translation, and no stateful NAT64 support Then, unrelated to IPv6: - no support for DSCP (the TOS byte includes ECN bits, hard to filter out) - the new 'match' mechanism would be really nice to have Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53BD38C4.4050100>