Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Dec 2006 07:59:21 +0200
From:      John Hay <jhay@meraka.org.za>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw handling of ipv6 fragments
Message-ID:  <20061213055921.GA41325@zibbi.meraka.csir.co.za>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi,

We are trying out nat-pt here and it triggers lots of "IPFW2: IPV6 -
Invalid Fragment Header" messages. Our ipfw code seems to think that
one cannot have a fragment header on a packet that does not need to
be fragmented. Is there a reason for it? RFC2765 section 3 does say
one MUST use such a fragment header on all packets that go through
nat-pt and does not have the DF bit set.

So I have been running with that check removed. Does anyone have an
objection to me committing this?

Index: netinet/ip_fw2.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.106.2.23
diff -u -r1.106.2.23 ip_fw2.c
--- netinet/ip_fw2.c	20 Nov 2006 15:19:10 -0000	1.106.2.23
+++ netinet/ip_fw2.c	13 Dec 2006 05:40:36 -0000
@@ -2295,13 +2295,7 @@
 				 * fragment to be != 0. */
 				offset |= ((struct ip6_frag *)ulp)->ip6f_offlg &
 					IP6F_MORE_FRAG;
-				if (offset == 0) {
-					printf("IPFW2: IPV6 - Invalid Fragment "
-					    "Header\n");
-					if (fw_deny_unknown_exthdrs)
-					    return (IP_FW_DENY);
-					break;
-				}
+				/* According to RFC2765 3.1 offset can be 0 */
 				args->f_id.frag_id6 =
 				    ntohl(((struct ip6_frag *)ulp)->ip6f_ident);
 				ulp = NULL;

John
-- 
John Hay -- John.Hay@meraka.csir.co.za / jhay@FreeBSD.org



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20061213055921.GA41325>