PF and IPv6 UDP fragmented packets

[László Károlyi]

Hey,

I've installed unbound into a jail to use it as a nameserver. After
setting up PF to allow UDP fragments to the jail's IPv6 address, I still
saw PF dropping the UDP fragment packages arriving to and from my jail.
According to the pf.conf readme, the IP header of the fragmented packets
still contain the protocol type (TCP/UDP), but not the port number. I
hope it's not a documentation bug.

Here are the pflog dump lines, showing what packages where dropped:

22:23:29.997907 rule 0/0(match): block in on em0: 2001:5a0:10::1 >
2a91:4f84:13a5:509f::32: frag (0|1232) 53 > 5494:  [|udp]
22:23:29.997913 rule 0/0(match): block in on em0: 2001:5a0:10::1 >
2a91:4f84:13a5:509f::32: frag (1232|224)
22:23:30.401494 rule 0/0(match): block in on lo0:
2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (0|1232) 53 >
14204:  [|udp]
22:23:30.401496 rule 0/0(match): block in on lo0:
2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (1232|425)

After a couple hours, I figured out that the culprit in the PF ruleset
is the 'proto udp' definition. Here are the working rules:

pass on $int_if inet6 proto tcp from any to $unbound_jail_ip6 port 53
keep state
pass on $ext_if inet6 from any to $unbound_jail_ip6 keep state fragment
pass on $int_if inet6 proto udp from any to $unbound_jail_ip6 port 53
keep state
pass on $int_if inet6 from any to $unbound_jail_ip6 keep state fragment

Referred part of the pf.conf readme:

https://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&manpath=FreeBSD+12.0-RELEASE+and+Ports&arch=default&format=html#end

Cheers, 
--
László Károlyi
https://linkedin.com/in/karolyi


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20190831/7a1a2979/attachment.sig>