Date: Sat, 20 Feb 2021 13:13:39 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Doug Hardie" <bc979@lafn.org> Cc: "net@freebsd.org" <net@FreeBSD.org> Subject: Re: IPv6 Fragmentation Message-ID: <DE246A9E-E931-4870-8EDB-AD5F9FBC7574@FreeBSD.org> In-Reply-To: <A01F640F-E412-474C-A34C-19B7219BD84D@sermon-archive.info> References: <CB0FB5AB-5A37-4C40-A103-3E0D97CEA6B9@sermon-archive.info> <472A2B49-9BEC-4335-B6FB-AC4DAA0F0310@lurchi.franken.de> <A01F640F-E412-474C-A34C-19B7219BD84D@sermon-archive.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 Feb 2021, at 5:32, Doug Hardie wrote: >> On 19 February 2021, at 01:48, Michael Tuexen >> <michael.tuexen@lurchi.franken.de> wrote: >> >>> On 19. Feb 2021, at 03:29, Doug Hardie <bc979@lafn.org> wrote: >>> >>> I don't know if this is a feature or a bug. On FreeBSD 9, the >>> following ping worked: >>> >>> ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0 >> I don't have a dc0 interface, but using re0 at one side and bge at >> the other, I get >> with FreeBSD CURRENT: >> tuexen@cirrus:~ % ping6 -s 5000 -b 6000 fe80::2e09:4dff:fe00:c00%re0 >> PING6(5048=40+8+5000 bytes) fe80::aaa1:59ff:fe0c:da92%re0 --> >> fe80::2e09:4dff:fe00:c00%re0 >> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=0 hlim=255 >> time=0.393 ms >> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=1 hlim=255 >> time=0.419 ms >> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=2 hlim=255 >> time=0.354 ms >> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=3 hlim=255 >> time=0.446 ms >> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=4 hlim=255 >> time=0.421 ms >> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=5 hlim=255 >> time=0.372 ms >> ^C >> --- fe80::2e09:4dff:fe00:c00%re0 ping6 statistics --- >> 6 packets transmitted, 6 packets received, 0.0% packet loss >> round-trip min/avg/max/std-dev = 0.354/0.401/0.446/0.031 ms >> >> Best regards >> Michael >>> >>> It had to be stopped, but it returned the number of ping responses >>> received along with statistics. >>> >>> With FreeBSD 12.2 and 13.0-BETA2, it returns 100% packet loss. >>> tcpdump shows that it properly fragments the data, sends it, the >>> other end receives it and sends back the ACKs. The ACKs are >>> received, but somehow ping doesn't find out that the packets were >>> received. >>> >>> Without the -s and -b arguments, it works and you get 100% packets >>> received. > > I found the problem. pf does not handle IPv6 packets that are > fragmented the obvious way. I suspect it is because icmp header is > only in the first fragment. I had to reassemble fragments in pf in > order to make the large pings work. > If you don’t have `scrub fragment reassemble` set then you have to include something like `pass log inet6 proto ipv6-frag all` to pass fragmented packets (assuming you block by default). You really, really want `scrub fragment reassemble` because otherwise your firewall can be trivially bypassed, but you need one of the two for fragmented packets to work. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DE246A9E-E931-4870-8EDB-AD5F9FBC7574>