Actions
Bug #2762
closedPF drops IPv6 packets with fragment header followed by a last fragment only
Start date:
01/18/2013
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1-IPv6
Affected Architecture:
All
Description
PF has the same problem as is described here for ipfw.
http://lists.freebsd.org/pipermail/freebsd-net/2011-February/027838.html
This used to be replicable by doing this:
telnet -6 www.allstream.com 80
but as of 201509, this site no longer exhibits this behavior.
They set a frag header, offset = 0, M bit = 0, in all their SYN ACKs for some reason. That's valid per RFC 2460. pcap showing is attached.
PF logs it as follows:
Jan 18 02:48:56 fw1 pf: 00:00:00.242205 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xb5736529:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179963673], length 0 Jan 18 02:48:59 fw1 pf: 00:00:02.934772 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xaf40f4e7:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179963973], length 0 Jan 18 02:49:02 fw1 pf: 00:00:02.999317 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xf2d6888d:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179963973], length 0 Jan 18 02:49:02 fw1 pf: 00:00:00.205661 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0x8009c1bf:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179964293], length 0 Jan 18 02:49:05 fw1 pf: 00:00:02.999839 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xe718b255:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179964293], length 0
Files
Actions