Bug #2762: PF drops IPv6 packets with fragment header followed by a last fragment only - pfSense - pfSense bugtracker

Bug #2762

Updated by Chris Buechler over 8 years ago

PF has the same problem as is described here for ipfw.  
 http://lists.freebsd.org/pipermail/freebsd-net/2011-February/027838.html 

 This used One easy way to be replicable by doing this: replicate this is:  
 telnet -6 www.allstream.com 80  
 but as of 201509, this site no longer exhibits this behavior.  

 They set a frag header, offset = 0, M bit = 0, in all their SYN ACKs for some reason. That's seemingly broken (or at least weird) behavior, but it's valid per RFC 2460. pcap showing is attached.  

 PF logs it as follows:  
 <pre> 
 Jan 18 02:48:56 fw1 pf: 00:00:00.242205 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xb5736529:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179963673], length 0 
 Jan 18 02:48:59 fw1 pf: 00:00:02.934772 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xaf40f4e7:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179963973], length 0 
 Jan 18 02:49:02 fw1 pf: 00:00:02.999317 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xf2d6888d:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179963973], length 0 
 Jan 18 02:49:02 fw1 pf: 00:00:00.205661 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0x8009c1bf:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179964293], length 0 
 Jan 18 02:49:05 fw1 pf: 00:00:02.999839 rule 5/0(match): block in on em0: (flowlabel 0xeb8da, hlim 56, next-header Fragment (44) payload length: 48) 2607:f4e8:200:12:225:90ff:fe2a:a072 > 2610:160:11:a033::230: frag (0xe718b255:0|40) 80 > 40842: Flags [S.], seq 3303787714, ack 1052652245, win 65535, options [mss 1140,nop,wscale 4,sackOK,TS val 260605935 ecr 179964293], length 0 
 </pre>

Back

Project

General

Profile

pfSense

Bug #2762