> On Jul 23, 2014, at 15:59, Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net> wrote: > > There was (is?) another case that in certain situations with certain pf options IPv6/ULP packets would not pass or get corrupted. I think no one who experienced it never tracked it down to the code but I am sure there are PRs for this; best bet is that not all header sizes are equal and length/offsets into IPv6 packets are different to IPv4, especially when you scrub. > scrub reassemble tcp breaks all ipv6 tcp traffic since FreeBSD 9.0. Well, not entirely "breaks" but things seem to be going at a rate of a poor dialup connection. This is similar to what I've experienced with pf + tso on Xen. Related? Possibly! I'd hazard a guess the reassembling of tcp on IPv6 is breaking checksums? Upstream pf from OpenBSD has removed this feature entirely and (I believe) reworked their scrubbing, but I don't know the details. I can confirm that when reassemble tcp existed on OpenBSD it never broke traffic for me. Synproxy and IPv6 was also broken last I knew. I can't remember the symptoms, but it was probably "nothing works". I recall synproxy has always been one of those "you're gonna shoot your eye out kid" features, but some people have used it successfully.Received on Thu Jul 24 2014 - 16:43:57 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:51 UTC