IPv6 day, PF and IPv6 fragments
Michael Proto
mike at jellydonut.org
Tue Jun 7 21:29:59 UTC 2011
On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer <gpalmer at freebsd.org> wrote:
> Hi,
>
> I noticed after running test-ipv6.com at home that I was getting
>
> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16)
>
> on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says
>
> Currently, only IPv4 fragments are supported and IPv6 fragments are
> blocked unconditionally.
>
> Is this correct? If so, what is the correct way of getting IPv6 fragmented
> packets through a pf firewall, or which version of FreeBSD introduces a PF
> version that natively handles IPv6 fragments?
>
> Thanks,
>
> Gary
Unless I'm mistaken, there shouldn't be any fragments for IPv6, at
least nothing traversing IPv6-capable routers. MTU path-discovery is
supposed to take care of that and any fragmentation is supposed to be
done on the sending host once path-discovery determines the correct
MTU.
http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation
-Proto
More information about the freebsd-pf
mailing list