pf does not support traffic normalization for IPv6 fragmented packets. Fragmented packets are dropped. As stated in pf.conf(5): "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally". Since tunneled IPv6 connectivity ("tunnel brokers") often provide only the minimum MTU (1280), this means that it is impossible to set up tunnels or IPsec while using pf for filtering. Some code for IPv6 traffic normalization was added years ago in the OpenBSD CVS (by itojun), but it was never completed and has been removed since. The comments show that there were some performance problems. How-To-Repeat: Use pf as a firewall on a IPv6-enabled network (e.g. using a tunnel broker such as SixXS). Fragments can be generated using e.g. "ping -s 2000".
You can permit the firewall to unconditionally (not mormalized) pass the frags. pass in on <int> inet6 proto ipv6-frag all To be honest I do not think this should be a FreeBSD PR but you might be lucky as I heard someone read the source lately and cried... trying to get closer to implement this feature. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.
State Changed From-To: open->suspended Over to maintainers; mark as suspended as it may be an upstream problem.
Responsible Changed From-To: freebsd-bugs->freebsd-pf
Reading the release notes of OpenBSD 5.1, it seems there are several fixes regarding fragmentation issues, especially ones concerning IPv6. I feel pf should be updated to 5.1 in FreeBSD, see also kern/167057 a. -- Wherever they's a fight so hungry people can eat, I'll be there. Wherever they's a cop beatin' up a guy, I'll be there. If Casy knowed, why, I'll be in the way guys yell when they're mad an' I'll be in the way kids laugh when they're hungry an' they know supper's ready. An' when our folks eat the stuff they raise an' live in the house they build, why I'll be there. - John Steinbeck, The Grapes of Wrath
Has there been any movement on this at all? I am seeing quite a few dropped IPv6 fragmented packets on my home gateway, which is definitely having an effect as I am browsing the web. The work-around is not a good solution since that would allow anyone to bypass the firewall by simply fragmenting the packet...
What's up here? In discussion? It's broken, end of discussion. What upstream? You blame upstream and then stop taking updates from them (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=167057)? 6 years, nothing done, fabulous really. FYI, this is so bad it totally kills some websites, as in, not usable with IPv6 at all.
There are patches here: https://reviews.freebsd.org/D1764 https://reviews.freebsd.org/D1765 https://reviews.freebsd.org/D1766 https://reviews.freebsd.org/D1767
This issue appears to be addressed now: https://reviews.freebsd.org/D1764 committed: r278828 https://reviews.freebsd.org/D1765 committed: r278831 https://reviews.freebsd.org/D1766 committed: r278842 https://reviews.freebsd.org/D1767 committed: r278843 (my issue with this fixed in r281164)
There are a couple more fixes, but PF fully handles IPv6 fragmentation as of r284280 in current and r284581 in stable/10. That means it'll be part of the 10.2 release.
*** Bug 207363 has been marked as a duplicate of this bug. ***