From owner-freebsd-bugs@FreeBSD.ORG Tue Jun 24 13:30:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF3A21065673 for ; Tue, 24 Jun 2008 13:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B19AD8FC1F for ; Tue, 24 Jun 2008 13:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m5ODU19S081531 for ; Tue, 24 Jun 2008 13:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m5ODU1KI081530; Tue, 24 Jun 2008 13:30:01 GMT (envelope-from gnats) Resent-Date: Tue, 24 Jun 2008 13:30:01 GMT Resent-Message-Id: <200806241330.m5ODU1KI081530@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Lionel Fourquaux Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C0EF106567B for ; Tue, 24 Jun 2008 13:26:51 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4FE148FC18 for ; Tue, 24 Jun 2008 13:26:51 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m5ODQoJY033438 for ; Tue, 24 Jun 2008 13:26:50 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m5ODQocM033437; Tue, 24 Jun 2008 13:26:50 GMT (envelope-from nobody) Message-Id: <200806241326.m5ODQocM033437@www.freebsd.org> Date: Tue, 24 Jun 2008 13:26:50 GMT From: Lionel Fourquaux To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/124933: pf does not support (drops) IPv6 fragmented packets X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2008 13:30:01 -0000 >Number: 124933 >Category: kern >Synopsis: pf does not support (drops) IPv6 fragmented packets >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Jun 24 13:30:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Lionel Fourquaux >Release: FreeBSD 7.0-RELEASE >Organization: >Environment: FreeBSD emris.lan 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: pf does not support traffic normalization for IPv6 fragmented packets. Fragmented packets are dropped. As stated in pf.conf(5): "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally". Since tunneled IPv6 connectivity ("tunnel brokers") often provide only the minimum MTU (1280), this means that it is impossible to set up tunnels or IPsec while using pf for filtering. Some code for IPv6 traffic normalization was added years ago in the OpenBSD CVS (by itojun), but it was never completed and has been removed since. The comments show that there were some performance problems. >How-To-Repeat: Use pf as a firewall on a IPv6-enabled network (e.g. using a tunnel broker such as SixXS). Fragments can be generated using e.g. "ping -s 2000". >Fix: >Release-Note: >Audit-Trail: >Unformatted: