kern/124933: pf does not support (drops) IPv6 fragmented packets

[Lionel Fourquaux]

>Number:         124933
>Category:       kern
>Synopsis:       pf does not support (drops) IPv6 fragmented packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 24 13:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Lionel Fourquaux
>Release:        FreeBSD 7.0-RELEASE
>Organization:
>Environment:
FreeBSD emris.lan 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
pf does not support traffic normalization for IPv6 fragmented packets.  Fragmented packets are dropped.  As stated in pf.conf(5): "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally".
Since tunneled IPv6 connectivity ("tunnel brokers") often provide only the minimum MTU (1280), this means that it is impossible to set up tunnels or IPsec while using pf for filtering.
Some code for IPv6 traffic normalization was added years ago in the OpenBSD CVS (by itojun), but it was never completed and has been removed since.  The comments show that there were some performance problems.

>How-To-Repeat:
Use pf as a firewall on a IPv6-enabled network (e.g. using a tunnel broker such as SixXS).  Fragments can be generated using e.g. "ping -s 2000".

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: