IPv6 day, PF and IPv6 fragments
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Jun 7 21:33:34 UTC 2011
On Jun 7, 2011, at 9:03 PM, Michael Proto wrote:
> On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer <gpalmer at freebsd.org> wrote:
>> Hi,
>>
>> I noticed after running test-ipv6.com at home that I was getting
>>
>> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
>> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16)
>>
>> on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says
>>
>> Currently, only IPv4 fragments are supported and IPv6 fragments are
>> blocked unconditionally.
>>
>> Is this correct? If so, what is the correct way of getting IPv6 fragmented
>> packets through a pf firewall, or which version of FreeBSD introduces a PF
>> version that natively handles IPv6 fragments?
>>
>> Thanks,
>>
>> Gary
>
> Unless I'm mistaken, there shouldn't be any fragments for IPv6, at
> least nothing traversing IPv6-capable routers. MTU path-discovery is
> supposed to take care of that and any fragmentation is supposed to be
> done on the sending host once path-discovery determines the correct
> MTU.
>
> http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation
Whatever they say and what you read.
There are fragments in IPv6 as well. Indeed none fragments the packet
on the path but if I am going to write 32k of data to UDP you'll see
a lot of fragments no matter what.
Actually this is the most common frag6 source I am seeing -- large
DNS replies due to DNSsec, etc.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
More information about the freebsd-pf
mailing list