Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jun 2008 13:26:50 GMT
From:      Lionel Fourquaux <lionel.fourquaux+fbsdbug@normalesup.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/124933: pf does not support (drops) IPv6 fragmented packets
Message-ID:  <200806241326.m5ODQocM033437@www.freebsd.org>
Resent-Message-ID: <200806241330.m5ODU1KI081530@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         124933
>Category:       kern
>Synopsis:       pf does not support (drops) IPv6 fragmented packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 24 13:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Lionel Fourquaux
>Release:        FreeBSD 7.0-RELEASE
>Organization:
>Environment:
FreeBSD emris.lan 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
pf does not support traffic normalization for IPv6 fragmented packets.  Fragmented packets are dropped.  As stated in pf.conf(5): "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally".
Since tunneled IPv6 connectivity ("tunnel brokers") often provide only the minimum MTU (1280), this means that it is impossible to set up tunnels or IPsec while using pf for filtering.
Some code for IPv6 traffic normalization was added years ago in the OpenBSD CVS (by itojun), but it was never completed and has been removed since.  The comments show that there were some performance problems.

>How-To-Repeat:
Use pf as a firewall on a IPv6-enabled network (e.g. using a tunnel broker such as SixXS).  Fragments can be generated using e.g. "ping -s 2000".

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806241326.m5ODQocM033437>