PF IPv6 fragment support
Rainer Bredehorn
Bredehorn at gmx.de
Sat Apr 27 15:56:22 UTC 2013
Hi Jason!
Am 27.04.2013 03:39, schrieb Jason Fesler:
> On Fri, Apr 26, 2013 at 1:26 AM, Rainer Bredehorn <Bredehorn at gmx.de> wrote:
>> I've modified the kernel PF implementation to pass IPv6 fragments.
>> The first fragment is handled by the PF rules of course ignoring possible checksums.
>
> Are you checking L4 before passing/not passing? What if the L4 header
> is fragmented?
Yes, when the L4 header is present it can be checked statefully. A
fragment offset of zero indicates the precence off the upper layer header.
A fragmented upper layer header is a problem. I think that could only be
solved when the packets are reassembled.
In my case it is not a big problem because I did some other modification
like limiting the allowed number of extension headers.
So a fragmented upper layer header should be a rare case.
>> All other fragments are passed by PF to the IP stack.
>> This can be done state-full but reassembling fragments is not supported.
>
> Reassembling packets will allow full L4 checking.
Correct but it didn't work for IPv6 in FreeBSD 8.3.
Reassembling is not my favorite. I don't want to buffer network packets
due to performance reasons.
Rainer.
More information about the freebsd-net
mailing list