Date: Wed, 07 Feb 2024 23:37:28 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 276856] pf no longer re-assembles fragments by default Message-ID: <bug-276856-16861-ZTS0SnJmex@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-276856-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-276856-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276856 --- Comment #4 from Michal Scigocki <michal.os@hotmail.com> --- (In reply to mgrooms from comment #3) What version of FreeBSD were you using where the default behaviour worked w= ith your IPSec flows? And before you added the "scrub fragment reassemble" config, did you have a= ny "scrub" statements in the config, or no "scrub" config statements? (In reply to Kajetan Staszkiewicz from comment #2) For FreeBSD 14.0, I think using "scrub" rules may be a work-around to a bro= ader issue. I think pf in 14.0 is not processing fragmented packets correctly. I tried another test, using an empty pf.conf (default pass rule). Monitoring the network interface with tcpdump, sending a large ping (2000 data bytes, = so it will fragment). With pf running, the ping REQUEST is captured on the interface, but the host does not REPLY. If I repeat this with pf stopped, I= get both REQUEST and REPLY. If I do the same test on 13.2 and 15.0, I get both REQUEST and REPLY with pf running. 14.0 is doing something different with the fragmented packets. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276856-16861-ZTS0SnJmex>