On Apr 3, 7:49am, [email protected] ([email protected]) wrote: -- Subject: Re: npf bug(?)
| On Sun, 2 Apr 2017, Christos Zoulas wrote: | | > | > I am trying to understand the use case here: | > 1. you want to have V4 DNS and 6to4 service that can generate V4 fragments | > 2. you want V4 fragments dropped. | > 3. you can't put V4 rules in your firewall to restrict traffic to only | > those services. | > | > Is that correct? | | That is not completely right. I want to filter IPv6 with npf. IPv4 should | not be filtered. After the activation of npf the statistics shows: | | Fragmentation: | 1296 fragments | 1104 reassembled | 7160 failed reassembly | | Since IPv6 is no longer reassambling, it must be IPv4 packets. I want to | make sure that the reassembly errors do not lead to packet losses, | especially at 6to4. I understand now. You want the V4 packets to be left alone, and processed by the V4 regular stack. I will look into it. christos
