kern/124933: pf does not support (drops) IPv6 fragmented packets
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Jun 24 15:10:05 UTC 2008
The following reply was made to PR kern/124933; it has been noted by GNATS.
From: "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net>
To: bug-followup at FreeBSD.org, lionel.fourquaux+fbsdbug at normalesup.org
Cc:
Subject: Re: kern/124933: pf does not support (drops) IPv6 fragmented packets
Date: Tue, 24 Jun 2008 14:41:34 +0000 (UTC)
On Tue, 24 Jun 2008, Lionel Fourquaux wrote:
>
>> Number: 124933
>> Description:
> pf does not support traffic normalization for IPv6 fragmented packets. Fragmented packets are dropped. As stated in pf.conf(5): "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally".
> Since tunneled IPv6 connectivity ("tunnel brokers") often provide only the minimum MTU (1280), this means that it is impossible to set up tunnels or IPsec while using pf for filtering.
You can permit the firewall to unconditionally (not mormalized)
pass the frags.
pass in on <int> inet6 proto ipv6-frag all
To be honest I do not think this should be a FreeBSD PR but you might
be lucky as I heard someone read the source lately and cried... trying
to get closer to implement this feature.
--
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
More information about the freebsd-bugs
mailing list