I am trying to create a filter to allow packets with ipv6-frag protocol, but I was surprised to see it isn't possible without tinkering.
Looking around, the file /usr/local/etc/inc/filter.inc has this:
/* IPv6 extension headers are skipped by the packet filter, we cannot police them */
$ipv6_ext = array('IPV6-ROUTE', 'IPV6-FRAG', 'IPV6-OPTS', 'IPV6-NONXT', 'MOBILITY-HEADER');
I have commented out that line and the new rule created by it works without issue.
Does anyone know why this has been added?
Fragmented packets are typically handled by first reassembling them with a normalization (scrub) rule and then passing them to the actual filter rules. So the filter rules shouldn't have to deal with fragments.
If fragments get blocked, my guess would be that normalization is disabled or the fragments are somehow malformed. Can you share some details about your use case?
Cheers
Maurice