[Bug 207363] pf drops fragmented ICMPv6

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Feb 20 06:20:31 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207363

            Bug ID: 207363
           Summary: pf drops fragmented ICMPv6
           Product: Base System
           Version: 10.2-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: freebsd.bugs at gmail.com

pf drops fragmented ICMPv6 despite being configured to allow ipv6-icmp.
This is consistently reproducible in 9.3-RELEASE and 10.3-BETA2.

ping6 to www.freebsd.org works when there is no fragmentation:

root at freebsd10:~ # ping6 -c3 -s1000 www.freebsd.org
PING6(1048=40+8+1000 bytes) 2001:44b8:201:5801:20c:29ff:fe9a:dd8b -->
2001:1900:2254:206a::50:0
1008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=0 hlim=56 time=189.932 ms
1008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=1 hlim=56 time=192.217 ms
1008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=2 hlim=56 time=191.740 ms

--- wfe0.ysv.freebsd.org ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 189.932/191.296/192.217/0.984 ms

However replies and requests are dropped by pf when they are fragmented:

root at freebsd10:~ # ping6 -c3 -s2000 www.freebsd.org
PING6(2048=40+8+2000 bytes) 2001:44b8:201:5801:20c:29ff:fe9a:dd8b -->
2001:1900:2254:206a::50:0

--- wfe0.ysv.freebsd.org ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

root at freebsd10:~ # tcpdump -r /var/log/pflog
16:12:01.910795 IP6 wfe0.ysv.freebsd.org >
2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (0|1440) ICMP6, echo reply[|icmp6]
16:12:01.911607 IP6 wfe0.ysv.freebsd.org >
2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (1440|568)
16:12:02.950043 IP6 wfe0.ysv.freebsd.org >
2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (0|1440) ICMP6, echo reply[|icmp6]
16:12:02.950050 IP6 wfe0.ysv.freebsd.org >
2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (1440|568)
16:12:03.995892 IP6 wfe0.ysv.freebsd.org >
2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (0|1440) ICMP6, echo reply[|icmp6]
16:12:03.996569 IP6 wfe0.ysv.freebsd.org >
2001:44b8:201:5801:20c:29ff:fe9a:dd8b: frag (1440|568)

Disabling pf allows the ping to work again:

root at freebsd10:~ # pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled
root at freebsd10:~ # ping6 -c3 -s2000 www.freebsd.org
PING6(2048=40+8+2000 bytes) 2001:44b8:201:5801:20c:29ff:fe9a:dd8b -->
2001:1900:2254:206a::50:0
2008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=0 hlim=54 time=204.390 ms
2008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=1 hlim=54 time=200.665 ms
2008 bytes from 2001:1900:2254:206a::50:0, icmp_seq=2 hlim=54 time=202.051 ms

--- wfe0.ysv.freebsd.org ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 200.665/202.369/204.390/1.537 ms

root at freebsd10:~ # cat /etc/pf.conf 
set skip on lo

pass out quick
block in log
pass in quick inet6 proto ipv6-icmp
pass in quick inet6 proto tcp to port ssh

This may be related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list