Date: Tue, 24 Jun 2008 15:10:05 GMT From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/124933: pf does not support (drops) IPv6 fragmented packets Message-ID: <200806241510.m5OFA5EC000449@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/124933; it has been noted by GNATS.
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: bug-followup@FreeBSD.org, lionel.fourquaux+fbsdbug@normalesup.org
Cc:
Subject: Re: kern/124933: pf does not support (drops) IPv6 fragmented packets
Date: Tue, 24 Jun 2008 14:41:34 +0000 (UTC)
On Tue, 24 Jun 2008, Lionel Fourquaux wrote:
>
>> Number: 124933
>> Description:
> pf does not support traffic normalization for IPv6 fragmented packets. Fragmented packets are dropped. As stated in pf.conf(5): "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally".
> Since tunneled IPv6 connectivity ("tunnel brokers") often provide only the minimum MTU (1280), this means that it is impossible to set up tunnels or IPsec while using pf for filtering.
You can permit the firewall to unconditionally (not mormalized)
pass the frags.
pass in on <int> inet6 proto ipv6-frag all
To be honest I do not think this should be a FreeBSD PR but you might
be lucky as I heard someone read the source lately and cried... trying
to get closer to implement this feature.
--
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806241510.m5OFA5EC000449>