Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Jun 2011 15:50:57 -0400
From:      Gary Palmer <gpalmer@freebsd.org>
To:        freebsd-pf@freebsd.org
Subject:   IPv6 day, PF and IPv6 fragments
Message-ID:  <20110607195057.GA37735@in-addr.com>

next in thread | raw e-mail | index | archive | help
Hi,

I noticed after running test-ipv6.com at home that I was getting

2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16)

on my FreeBSD 7.3-RELEASE firewall.  "man pf.conf" says

     Currently, only IPv4 fragments are supported and IPv6 fragments are
     blocked unconditionally.

Is this correct?  If so, what is the correct way of getting IPv6 fragmented
packets through a pf firewall, or which version of FreeBSD introduces a PF
version that natively handles IPv6 fragments?

Thanks,

Gary




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110607195057.GA37735>