pf does not support traffic normalization for IPv6 fragmented packets.
Fragmented packets are dropped. As stated in pf.conf(5): "Currently,
only IPv4 fragments are supported and IPv6 fragments are blocked
Since tunneled IPv6 connectivity ("tunnel brokers") often provide only
the minimum MTU (1280), this means that it is impossible to set up tunnels
or IPsec while using pf for filtering.
Some code for IPv6 traffic normalization was added years ago in the
OpenBSD CVS (by itojun), but it was never completed and has been removed
since. The comments show that there were some performance problems.
How-To-Repeat: Use pf as a firewall on a IPv6-enabled network (e.g. using a tunnel
broker such as SixXS). Fragments can be generated using e.g. "ping -s 2000".
You can permit the firewall to unconditionally (not mormalized)
pass the frags.
pass in on <int> inet6 proto ipv6-frag all
To be honest I do not think this should be a FreeBSD PR but you might
be lucky as I heard someone read the source lately and cried... trying
to get closer to implement this feature.
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
Over to maintainers; mark as suspended as it may be an upstream problem.
Reading the release notes of OpenBSD 5.1, it seems there are several
fixes regarding fragmentation issues, especially ones concerning IPv6.
I feel pf should be updated to 5.1 in FreeBSD, see also kern/167057
Wherever they's a fight so hungry people can eat, I'll be there.
Wherever they's a cop beatin' up a guy, I'll be there.
If Casy knowed, why, I'll be in the way guys yell when they're mad an'
I'll be in the way kids laugh when they're hungry an' they know
supper's ready. An' when our folks eat the stuff they raise an' live
in the house they build, why I'll be there.
- John Steinbeck, The Grapes of Wrath
Has there been any movement on this at all? I am seeing quite a few dropped IPv6 fragmented packets on my home gateway, which is definitely having an effect as I am browsing the web.
The work-around is not a good solution since that would allow anyone to bypass the firewall by simply fragmenting the packet...
What's up here? In discussion? It's broken, end of discussion. What upstream? You blame upstream and then stop taking updates from them (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=167057)? 6 years, nothing done, fabulous really. FYI, this is so bad it totally kills some websites, as in, not usable with IPv6 at all.
There are patches here:
This issue appears to be addressed now:
https://reviews.freebsd.org/D1764 committed: r278828
https://reviews.freebsd.org/D1765 committed: r278831
https://reviews.freebsd.org/D1766 committed: r278842
https://reviews.freebsd.org/D1767 committed: r278843 (my issue with this fixed in r281164)
There are a couple more fixes, but PF fully handles IPv6 fragmentation as of r284280 in current and r284581 in stable/10.
That means it'll be part of the 10.2 release.
*** Bug 207363 has been marked as a duplicate of this bug. ***