Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Apr 2015 23:16:56 +0200
From:      Kristof Provost <kp@FreeBSD.org>
To:        Richard Tector <richardtector@thekeelecentre.com>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r281164 - head/sys/netpfil/pf
Message-ID:  <58A9FC24-0D85-482F-8903-86FC646CB45A@FreeBSD.org>
In-Reply-To: <5522F192.7010205@thekeelecentre.com>
References:  <201504061905.t36J51EX005483@svn.freebsd.org> <5522F192.7010205@thekeelecentre.com>

next in thread | previous in thread | raw e-mail | index | archive | help

> On 06 Apr 2015, at 22:50, Richard Tector =
<richardtector@thekeelecentre.com> wrote:
>=20
> I was just wondering how this affects the case where we might have =
if-bound rules?
>=20
> Really basic example:
>=20
>  pass quick on $outside_if inet6 proto udp from any to $myhost
>  block drop quick on $inside_if inet6 proto udp from any to $myhost =
port $secret_svc
>  pass quick on $inside_if inet6 proto udp from any to $myhost
>=20
> If the fragments generated after processing occurs on the inbound =
interface are then marked to be skipped then will they therefore not be =
matched by the drop rule in the example above?
>=20
It should be fine. The refragmentation isn=92t done until after all of =
the processing in pf_test6() is done.
Any transformations or filtering pf has to apply is already done then.

In essence all this patch does is make sure we don=92t take a second =
pass through pf with the refragmented packets.


Regards,
Kristof




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58A9FC24-0D85-482F-8903-86FC646CB45A>