[Bug 124933] [pf] [ip6] pf does not support (drops) IPv6 fragmented packets

Kristof Provost kristof at sigsegv.be
Sat Feb 7 08:46:34 UTC 2015


On 2015-02-06 15:35:15 (-0800), Darren Pilgrim <list_freebsd at bluerosetech.com> wrote:
> On 2/5/2015 1:21 AM, bugzilla-noreply at freebsd.org wrote:
> > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=124933
> > --- Comment #7 from Kristof Provost <kristof at freebsd.org> ---
> > There are patches here:
> >
> > https://reviews.freebsd.org/D1764
> > https://reviews.freebsd.org/D1765
> > https://reviews.freebsd.org/D1766
> > https://reviews.freebsd.org/D1767
> 
> Sweet! Please tell me these will MFC in time for 10.2?
> 
There are still issues at the moment. I'm trying to get those fixed as
soon as possible. 

Specifically, there's a problem with the refragmentation. If you're
using pf on a gateway it will correctly defragment and then filter, but
it won't refragment before trying to send the packet out again. As a
result you get an ICMP6 Packet Too Big error if you do 'ping6 -s 9000
...' through it.

The current patches apply to stable/10 (I'm currently running two
stable/10 systems with them), so if you like you can already give them a
try.

Regards,
Kristof


More information about the freebsd-pf mailing list