Date: Sat, 27 Apr 2013 17:56:19 +0200 From: Rainer Bredehorn <Bredehorn@gmx.de> To: Jason Fesler <jfesler@gigo.com>, freebsd-net@FreeBSD.org Subject: Re: PF IPv6 fragment support Message-ID: <517BF523.6010804@gmx.de> In-Reply-To: <CADCiYHAQ5zbUMb=uAyJQGzvyCM=wCKOL9m0DqWzRM5Zb5%2BkyCg@mail.gmail.com> References: <trinity-75812dac-8a1d-46c5-90ed-128ee2e785cc-1366357308687@3capp-gmx-bs49> <trinity-ec81fa0c-6719-4f11-a69f-f1230649794e-1366964770102@3capp-gmx-bs46> <CADCiYHAQ5zbUMb=uAyJQGzvyCM=wCKOL9m0DqWzRM5Zb5%2BkyCg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jason! Am 27.04.2013 03:39, schrieb Jason Fesler: > On Fri, Apr 26, 2013 at 1:26 AM, Rainer Bredehorn <Bredehorn@gmx.de> wrote: >> I've modified the kernel PF implementation to pass IPv6 fragments. >> The first fragment is handled by the PF rules of course ignoring possible checksums. > > Are you checking L4 before passing/not passing? What if the L4 header > is fragmented? Yes, when the L4 header is present it can be checked statefully. A fragment offset of zero indicates the precence off the upper layer header. A fragmented upper layer header is a problem. I think that could only be solved when the packets are reassembled. In my case it is not a big problem because I did some other modification like limiting the allowed number of extension headers. So a fragmented upper layer header should be a rare case. >> All other fragments are passed by PF to the IP stack. >> This can be done state-full but reassembling fragments is not supported. > > Reassembling packets will allow full L4 checking. Correct but it didn't work for IPv6 in FreeBSD 8.3. Reassembling is not my favorite. I don't want to buffer network packets due to performance reasons. Rainer.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?517BF523.6010804>