[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Outdated documentation for scrub (no-df) in pf.conf(5)?
From:       Henning Brauer <lists-openbsd () bsws ! de>
Date:       2013-07-26 9:09:39
Message-ID: 20130726090939.GL12057 () quigon ! bsws ! de
[Download RAW message or body]

* Maxim Khitrov <max@mxcrypt.com> [2013-07-25 17:29]:
> To reassemble fragmented
> packets with the DF flag set, one has to use "set reassemble yes
> no-df" option.

correct.

> By the time any scrub rules are applied, the packet is
> already reassembled

not necessarily - one can turn reassembly off.

> so "scrub (no-df)" simply clears the DF flag for
> all _complete_ packets (pf_scrub in sys/net/pf_norm.c).

pretty much.
 
> I don't see how this fixes problems with fragmented NFS packets, and I
> suspect that this breaks legitimate uses of DF, such as MTU discovery.

well, no-df kinda "breaks" PMTUD by definition; the pf host then
reassembles anyway.

-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

[prev in list] [next in list] [prev in thread] [next in thread]