Date: Mon, 6 Apr 2015 23:16:56 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Richard Tector <richardtector@thekeelecentre.com> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r281164 - head/sys/netpfil/pf Message-ID: <58A9FC24-0D85-482F-8903-86FC646CB45A@FreeBSD.org> In-Reply-To: <5522F192.7010205@thekeelecentre.com> References: <201504061905.t36J51EX005483@svn.freebsd.org> <5522F192.7010205@thekeelecentre.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 06 Apr 2015, at 22:50, Richard Tector = <richardtector@thekeelecentre.com> wrote: >=20 > I was just wondering how this affects the case where we might have = if-bound rules? >=20 > Really basic example: >=20 > pass quick on $outside_if inet6 proto udp from any to $myhost > block drop quick on $inside_if inet6 proto udp from any to $myhost = port $secret_svc > pass quick on $inside_if inet6 proto udp from any to $myhost >=20 > If the fragments generated after processing occurs on the inbound = interface are then marked to be skipped then will they therefore not be = matched by the drop rule in the example above? >=20 It should be fine. The refragmentation isn=92t done until after all of = the processing in pf_test6() is done. Any transformations or filtering pf has to apply is already done then. In essence all this patch does is make sure we don=92t take a second = pass through pf with the refragmented packets. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58A9FC24-0D85-482F-8903-86FC646CB45A>