On Sun, 2 Apr 2017, Christos Zoulas wrote:
I am trying to understand the use case here: 1. you want to have V4 DNS and 6to4 service that can generate V4 fragments 2. you want V4 fragments dropped. 3. you can't put V4 rules in your firewall to restrict traffic to only those services. Is that correct?
That is not completely right. I want to filter IPv6 with npf. IPv4 should not be filtered. After the activation of npf the statistics shows:
Fragmentation:
1296 fragments
1104 reassembled
7160 failed reassembly
Since IPv6 is no longer reassambling, it must be IPv4 packets. I want to
make sure that the reassembly errors do not lead to packet losses,
especially at 6to4.
Regards Uwe