From owner-svn-src-head@FreeBSD.ORG  Mon Apr  6 21:17:01 2015
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4A0DA986;
 Mon,  6 Apr 2015 21:17:01 +0000 (UTC)
Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 056A07F5;
 Mon,  6 Apr 2015 21:17:01 +0000 (UTC)
Received: from air.jupiter.sigsegv.be (94-225-210-220.access.telenet.be
 [94.225.210.220])
 by venus.codepro.be (Postfix) with ESMTPSA id 83BE116EE5;
 Mon,  6 Apr 2015 23:16:57 +0200 (CEST)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2097\))
Subject: Re: svn commit: r281164 - head/sys/netpfil/pf
From: Kristof Provost <kp@FreeBSD.org>
In-Reply-To: <5522F192.7010205@thekeelecentre.com>
Date: Mon, 6 Apr 2015 23:16:56 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <58A9FC24-0D85-482F-8903-86FC646CB45A@FreeBSD.org>
References: <201504061905.t36J51EX005483@svn.freebsd.org>
 <5522F192.7010205@thekeelecentre.com>
To: Richard Tector <richardtector@thekeelecentre.com>
X-Mailer: Apple Mail (2.2097)
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
 src-committers@freebsd.org
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 21:17:01 -0000


> On 06 Apr 2015, at 22:50, Richard Tector =
<richardtector@thekeelecentre.com> wrote:
>=20
> I was just wondering how this affects the case where we might have =
if-bound rules?
>=20
> Really basic example:
>=20
>  pass quick on $outside_if inet6 proto udp from any to $myhost
>  block drop quick on $inside_if inet6 proto udp from any to $myhost =
port $secret_svc
>  pass quick on $inside_if inet6 proto udp from any to $myhost
>=20
> If the fragments generated after processing occurs on the inbound =
interface are then marked to be skipped then will they therefore not be =
matched by the drop rule in the example above?
>=20
It should be fine. The refragmentation isn=92t done until after all of =
the processing in pf_test6() is done.
Any transformations or filtering pf has to apply is already done then.

In essence all this patch does is make sure we don=92t take a second =
pass through pf with the refragmented packets.


Regards,
Kristof