From owner-freebsd-pf@FreeBSD.ORG  Tue Jun  7 19:51:01 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 007491065670;
	Tue,  7 Jun 2011 19:51:01 +0000 (UTC)
	(envelope-from gpalmer@freebsd.org)
Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1])
	by mx1.freebsd.org (Postfix) with ESMTP id CD2C98FC0A;
	Tue,  7 Jun 2011 19:51:00 +0000 (UTC)
Received: from gjp by noop.in-addr.com with local (Exim 4.76 (FreeBSD))
	(envelope-from <gpalmer@freebsd.org>)
	id 1QU2Ik-0001E5-1b; Tue, 07 Jun 2011 15:50:58 -0400
Date: Tue, 7 Jun 2011 15:50:57 -0400
From: Gary Palmer <gpalmer@freebsd.org>
To: freebsd-pf@freebsd.org
Message-ID: <20110607195057.GA37735@in-addr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: gpalmer@freebsd.org
X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false
Subject: IPv6 day, PF and IPv6 fragments
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 19:51:01 -0000

Hi,

I noticed after running test-ipv6.com at home that I was getting

2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16)

on my FreeBSD 7.3-RELEASE firewall.  "man pf.conf" says

     Currently, only IPv4 fragments are supported and IPv6 fragments are
     blocked unconditionally.

Is this correct?  If so, what is the correct way of getting IPv6 fragmented
packets through a pf firewall, or which version of FreeBSD introduces a PF
version that natively handles IPv6 fragments?

Thanks,

Gary