IPFW and IPv6 packets with fragment header and last frag only

[sthaug at nethelp.no]

IPFW incorrectly handles IPv6 packets with a fragment header followed
by a last fragment only (i.e. the fragment header has fragment offset
= 0 and M bit = 0). Such packets are allowed by RFC 2460.

The problem is well described in kern/145733 from 16. April 2010, but
nothing seems to have happened with this PR so far. 

I see the effects of this problem on several name servers which handle
IPv6 traffic. One typical example is

15:49:26.408456 IP6 2001:1a68::d911:210a > 2001:8c0:2001::3:53: frag (0|50) 50017 > 53: 38139% [1au] AAAA? dns1.eunet.no. (42)
        0x0000:  6008 f572 003a 2c36 2001 1a68 0000 0000  `..r.:,6...h....
        0x0010:  0000 0000 d911 210a 2001 08c0 2001 0000  ......!.........
        0x0020:  0000 0000 0003 0053 1100 0000 a977 6460  .......S.....wd`
        0x0030:  c361 0035 0032 21f6 94fb 0010 0001 0000  .a.5.2!.........
        0x0040:  0000 0001 0464 6e73 3105 6575 6e65 7402  .....dns1.eunet.
        0x0050:  6e6f 0000 1c00 0100 0029 1000 0000 8000  no.......)......
        0x0060:  0000                                     ..

which results in the following log entry:

Feb  6 15:49:26 dns1 kernel: IPFW2: IPV6 - Invalid Fragment Header

and then the packet is dropped, even though the packet is perfectly
valid. The logs on my name servers are getting filled with these error
messages...

Does anybody have an idea of whether the patch in kern/145733 will be
incorporated into ip_fw2.c any time soon?

Steinar Haug, Nethelp consulting, sthaug at nethelp.no