Bug 124933 - [pf] [ip6] pf does not support (drops) IPv6 fragmented packets
Summary: [pf] [ip6] pf does not support (drops) IPv6 fragmented packets
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 7.0-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-pf (Nobody)
URL:
Keywords:
: 207363 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-06-24 14:30 UTC by Lionel Fourquaux
Modified: 2016-02-21 09:29 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lionel Fourquaux 2008-06-24 14:30:01 UTC
pf does not support traffic normalization for IPv6 fragmented packets.
Fragmented packets are dropped.  As stated in pf.conf(5): "Currently,
only IPv4 fragments are supported and IPv6 fragments are blocked
unconditionally".

Since tunneled IPv6 connectivity ("tunnel brokers") often provide only
the minimum MTU (1280), this means that it is impossible to set up tunnels
or IPsec while using pf for filtering.

Some code for IPv6 traffic normalization was added years ago in the
OpenBSD CVS (by itojun), but it was never completed and has been removed
since.  The comments show that there were some performance problems.

How-To-Repeat: Use pf as a firewall on a IPv6-enabled network (e.g. using a tunnel
broker such as SixXS).  Fragments can be generated using e.g. "ping -s 2000".
Comment 1 bzeeb-lists 2008-06-24 15:41:34 UTC
You can permit the firewall to unconditionally (not mormalized)
pass the frags.

 	pass in on <int> inet6 proto ipv6-frag all


To be honest I do not think this should be a FreeBSD PR but you might
be lucky as I heard someone read the source lately and cried... trying
to get closer to implement this feature.

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2008-06-25 06:28:51 UTC
State Changed
From-To: open->suspended

Over to maintainers; mark as suspended as it may be an upstream problem. 


Comment 3 Mark Linimon freebsd_committer freebsd_triage 2008-06-25 06:28:51 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-pf
Comment 4 Antoine Beaupre 2012-05-02 14:22:12 UTC
Reading the release notes of OpenBSD 5.1, it seems there are several
fixes regarding fragmentation issues, especially ones concerning IPv6.

I feel pf should be updated to 5.1 in FreeBSD, see also kern/167057

a.

-- 
Wherever they's a fight so hungry people can eat, I'll be there.
Wherever they's a cop beatin' up a guy, I'll be there.
If Casy knowed, why, I'll be in the way guys yell when they're mad an'
I'll be in the way kids laugh when they're hungry an' they know
supper's ready. An' when our folks eat the stuff they raise an' live
in the house they build, why I'll be there.
                        - John Steinbeck, The Grapes of Wrath
Comment 5 Bert JW Regeer 2014-06-17 00:55:13 UTC
Has there been any movement on this at all? I am seeing quite a few dropped IPv6 fragmented packets on my home gateway, which is definitely having an effect as I am browsing the web.

The work-around is not a good solution since that would allow anyone to bypass the firewall by simply fragmenting the packet...
Comment 6 doktornotor 2014-10-21 07:43:58 UTC
What's up here? In discussion? It's broken, end of discussion. What upstream? You blame upstream and then stop taking updates from them (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=167057)? 6 years, nothing done, fabulous really. FYI, this is so bad it totally kills some websites, as in, not usable with IPv6 at all.
Comment 8 Allan Jude freebsd_committer 2015-07-15 20:01:26 UTC
This issue appears to be addressed now:

https://reviews.freebsd.org/D1764 committed: r278828
https://reviews.freebsd.org/D1765 committed: r278831
https://reviews.freebsd.org/D1766 committed: r278842
https://reviews.freebsd.org/D1767 committed: r278843 (my issue with this fixed in r281164)
Comment 9 Kristof Provost freebsd_committer 2015-07-16 08:32:12 UTC
There are a couple more fixes, but PF fully handles IPv6 fragmentation as of r284280 in current and r284581 in stable/10.
That means it'll be part of the 10.2 release.
Comment 10 Michal Roszkowski 2016-02-21 09:29:55 UTC
*** Bug 207363 has been marked as a duplicate of this bug. ***