From nobody@FreeBSD.org  Tue Jun 24 13:26:51 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C0EF106567B
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jun 2008 13:26:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4FE148FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jun 2008 13:26:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m5ODQoJY033438
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Jun 2008 13:26:50 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m5ODQocM033437;
	Tue, 24 Jun 2008 13:26:50 GMT
	(envelope-from nobody)
Message-Id: <200806241326.m5ODQocM033437@www.freebsd.org>
Date: Tue, 24 Jun 2008 13:26:50 GMT
From: Lionel Fourquaux <lionel.fourquaux+fbsdbug@normalesup.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf does not support (drops) IPv6 fragmented packets
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         124933
>Category:       kern
>Synopsis:       [pf] [ip6] pf does not support (drops) IPv6 fragmented packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-pf
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 24 13:30:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Wed May  2 13:30:12 UTC 2012
>Originator:     Lionel Fourquaux
>Release:        FreeBSD 7.0-RELEASE
>Organization:
>Environment:
FreeBSD emris.lan 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
pf does not support traffic normalization for IPv6 fragmented packets.
Fragmented packets are dropped.  As stated in pf.conf(5): "Currently,
only IPv4 fragments are supported and IPv6 fragments are blocked
unconditionally".

Since tunneled IPv6 connectivity ("tunnel brokers") often provide only
the minimum MTU (1280), this means that it is impossible to set up tunnels
or IPsec while using pf for filtering.

Some code for IPv6 traffic normalization was added years ago in the
OpenBSD CVS (by itojun), but it was never completed and has been removed
since.  The comments show that there were some performance problems.

>How-To-Repeat:
Use pf as a firewall on a IPv6-enabled network (e.g. using a tunnel
broker such as SixXS).  Fragments can be generated using e.g. "ping -s 2000".

>Fix:


>Release-Note:
>Audit-Trail:

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: bug-followup@FreeBSD.org, lionel.fourquaux+fbsdbug@normalesup.org
Cc:  
Subject: Re: kern/124933: pf does not support (drops) IPv6 fragmented packets
Date: Tue, 24 Jun 2008 14:41:34 +0000 (UTC)

 You can permit the firewall to unconditionally (not mormalized)
 pass the frags.
 
  	pass in on <int> inet6 proto ipv6-frag all
 
 
 To be honest I do not think this should be a FreeBSD PR but you might
 be lucky as I heard someone read the source lately and cried... trying
 to get closer to implement this feature.
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
State-Changed-From-To: open->suspended 
State-Changed-By: linimon 
State-Changed-When: Wed Jun 25 05:28:51 UTC 2008 
State-Changed-Why:  
Over to maintainers; mark as suspended as it may be an upstream problem. 


Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jun 25 05:28:51 UTC 2008 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=124933 

From: Antoine =?utf-8?Q?Beaupr=C3=A9?= <anarcat@anarcat.ath.cx>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/124933: OpenBSD 5.1 fixes some pf fragmentation issues
Date: Wed, 02 May 2012 09:22:12 -0400

 --=-=-=
 Content-Transfer-Encoding: quoted-printable
 
 Reading the release notes of OpenBSD 5.1, it seems there are several
 fixes regarding fragmentation issues, especially ones concerning IPv6.
 
 I feel pf should be updated to 5.1 in FreeBSD, see also kern/167057
 
 a.
 
 =2D-=20
 Wherever they's a fight so hungry people can eat, I'll be there.
 Wherever they's a cop beatin' up a guy, I'll be there.
 If Casy knowed, why, I'll be in the way guys yell when they're mad an'
 I'll be in the way kids laugh when they're hungry an' they know
 supper's ready. An' when our folks eat the stuff they raise an' live
 in the house they build, why I'll be there.
                         - John Steinbeck, The Grapes of Wrath
 
 --=-=-=
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAEBCAAGBQJPoTUEAAoJEHkhUlJ7dZIepoMP/jDWs4TuougSU/3WTh3yYsT1
 o+MZzETnNOxOM41KeSj8dEFJWQfIykzBOUeWiE9LlR+DFZMpDwVQgZziRMSfriLE
 FxFnurYL+pslP3eIPPYLSI2Joy/dNy+ALBpSBi3WD4FtI3JhxEAVuO4l8LPBCi/0
 fAdaEnho+92lIapgu7f5yW7ICcygTBzsNqLHYimVqi5r5diR7InxXyKRYRWPv6oT
 kn1xVx5ND7UidOpw8dxJLgFQ98MElt5EwqOxaahDgXJeogvj1NIhYEmqF5tJ8UG/
 14PbOaMR+420MYWDlrw9FFW2mh+txdZfFjMNcY5hMbtuCamC0UGQaysR9QHQrnyz
 C4gGXN3e9zmVfWtr+fymj2EZGuwImWBOyj8lQgUrZiYpBo/7QMa8lP7P6ql/nP/l
 TcxIhC5FNZAKuoKSNhMG/42i8EpKILjGHYKMTAVUel9DTqU/uYNklpwBEdmRJE7C
 U9VykmhXVVGnfxQUTrSZ33N1Ku9BSkbt4g5hhA6eYalaqld/jqRkKveCha/luBAT
 02g+H2nhoGza3JW2b8FnRFSZqlcX8ZbJcgi5FC5QRdFWhJDQL/2MrwWZGXELC441
 J1U27ft5GvUioVk9cVidIpX6SNBd6ELLJEB7y7aU1DVfmxCc2i3Dw9yYNcMUI+Qe
 6y/UXq+WKOoxXwYRdxPt
 =H5L0
 -----END PGP SIGNATURE-----
 --=-=-=--
>Unformatted:
