Hi,Our PF firewall is running NetBSD/amd64 5.0_STABLE and while testing one new IETF protocol, we discovered that the firewall is silently dropping the echo reply packet because it has fragmentation header in it (as specified by the draft).
Is PF doing something wrong here or are we missing something in our pf.conf? Right now we have
scrub in all
scrub out on $EXT_IF all random-id
scrub on $EXT_IF all reassemble tcp
in the pf.conf. Below is how packets look...
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 16
Next header: ICMPv6 (0x3a)
Hop limit: 53
Source: 2001:xxxx:xxxx:xxxx::3
Destination: 2001:yyyy:yyyy:yyyy::e0e4
Internet Control Message Protocol v6
Type: 128 (Echo request)
Code: 0
Checksum: 0xcdb8 [correct]
ID: 0x01a2
Sequence: 0x0022
Data (8 bytes)
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 24
Next header: IPv6 fragment (0x2c)
Hop limit: 246
Source: 2001:yyyy:yyyy:yyyy::e0e4
Destination: 2001:xxxx:xxxx:xxxx::3
Fragmentation Header
Next header: ICMPv6 (0x3a)
0000 0000 0000 0... = Offset: 0 (0x0000)
.... .... .... ...0 = More Fragment: No
Identification: 0x0000a088
Internet Control Message Protocol v6
Type: 129 (Echo reply)
Code: 0
Checksum: 0xccb8 [correct]
ID: 0x01a2
Sequence: 0x0022
Data (8 bytes)