On 2014-11-09 14:30:55 (+0100), Ilya Bakulin <i...@bakulin.de> wrote: > On 07.11.14, 14:31, Kristof Provost wrote: > > I've been playing with it too. I have a patch which seems to be working, > > but it currently drops the distinction between PFRULE_FRAGCROP and > > PFRULE_FRAGDROP. OpenBSD dropped that a while ago, but I figured FreeBSD > > wouldn't want user-visible changes. > > > > I've been meaning to look at that some more but ... ENOTIME. > > It's tentatively planned as a project for Chaos Congress (end of > > December), but no promises. > > > > If you like I can probably dig up the (non-clean) patches for you. > > > Yes, please do it, would be interesting to look at your code! >
You can find the patch series here: http://www.sigsegv.be/files/pf_inet6_frag.tar and everything in one big patch here: http://www.sigsegv.be/files/pf_inet6_frag.patch It's not cleaned up yet, or even extensively tested. Basically the only testing that's been done is setting up a pf config to drop all traffic except icmp echo requests, and then sending out fragmented icmp echo requests. Without the patch those get dropped, with the patch they make it through the firewall. I've done some quick flood ping testing, so I'm reasonably confident it doesn't leak mbufs. I started from the OpenBSD work, and imported and adjusted their inet6 defragmentation patches. Regards, Kristof _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
