IPv6 fragments
Freek Dijkstra
public at macfreek.nl
Thu Feb 9 21:44:03 UTC 2012
I wrote:
> I'm having trouble configuring ipfw to handle fragmented IPv6 packets.
[...]
> My second idea was to simply allow all fragments, and let the TCP stack
> figure it out. I used the following ruleset:
> ipfw add 1020 count log ipv6 from any to me recv tun0 frag
> ipfw add 1030 deny log ipv6 from any to me recv tun0
>
> Unfortunately, this still fails. Below is output of tcpdump and the ipfw
> log. As you can see rule 1020 is never matched.
>
> Why is rule 1020 never matched?
Oh bugger, it seems the problem was between keyboard and chair.
I tested this on a production machine, and moved some rule numbers.
Forgot that I had a skipto rule somewhere and did not update that rule
number...
Anyway, I'm still interested to hear how others handle fragmented IPv6
traffic (off-topic: any pointers to why it is fragmented are appreciated
too).
In particular, I'm still interested in these answers:
> Is there a bug report available for the reassambly bug, so I can track it?
> If not, where can I report it (presuming it is a bug of course)?
Regards,
Freek Dijkstra
More information about the freebsd-ipfw
mailing list