Hi, Empty IPv6 fragments are reassembled differently by our stack and pf. If the payload length is 0, it does not change the content of the fragment cache. So pf just drops it early during processing. But IPv6 requires that when an overlapping fragment is detected, the whole queue of the fragement is dropped. That is what our stack thinks about such a fragment, which is next to an existing fragment entry.
I think the pf way is smarter. An empty fragment can never overlap existing content, there is no ambiguous payload. Just dropping it costs less resources than trying to insert it in the queue. To make the behavior uniform, I want to adapt the IPv6 network stack. ok? bluhm Index: netinet6/frag6.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/frag6.c,v retrieving revision 1.69 diff -u -p -r1.69 frag6.c --- netinet6/frag6.c 24 Aug 2016 09:41:12 -0000 1.69 +++ netinet6/frag6.c 20 Oct 2016 22:40:21 -0000 @@ -208,6 +208,12 @@ frag6_input(struct mbuf **mp, int *offp, return ip6f->ip6f_nxt; } + /* Ignore empty non atomic fragment, do not classify as overlapping. */ + if (sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) <= offset) { + m_freem(m); + return IPPROTO_DONE; + } + IP6Q_LOCK(); /*