Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: npf bug(?)

On Sun, 2 Apr 2017, Christos Zoulas wrote:

I am trying to understand the use case here:
1. you want to have V4 DNS and 6to4 service that can generate V4 fragments
2. you want V4 fragments dropped.
3. you can't put V4 rules in your firewall to restrict traffic to only
  those services.

Is that correct?

That is not completely right. I want to filter IPv6 with npf. IPv4 should not be filtered. After the activation of npf the statistics shows:

        1296 fragments
        1104 reassembled
        7160 failed reassembly

Since IPv6 is no longer reassambling, it must be IPv4 packets. I want to make sure that the reassembly errors do not lead to packet losses, especially at 6to4.


Home | Main Index | Thread Index | Old Index