Date: Mon, 6 Apr 2015 23:16:56 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Richard Tector <richardtector@thekeelecentre.com> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r281164 - head/sys/netpfil/pf Message-ID: <58A9FC24-0D85-482F-8903-86FC646CB45A@FreeBSD.org> In-Reply-To: <5522F192.7010205@thekeelecentre.com> References: <201504061905.t36J51EX005483@svn.freebsd.org> <5522F192.7010205@thekeelecentre.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 06 Apr 2015, at 22:50, Richard Tector <richardtector@thekeelecentre.com> wrote: > > I was just wondering how this affects the case where we might have if-bound rules? > > Really basic example: > > pass quick on $outside_if inet6 proto udp from any to $myhost > block drop quick on $inside_if inet6 proto udp from any to $myhost port $secret_svc > pass quick on $inside_if inet6 proto udp from any to $myhost > > If the fragments generated after processing occurs on the inbound interface are then marked to be skipped then will they therefore not be matched by the drop rule in the example above? > It should be fine. The refragmentation isn’t done until after all of the processing in pf_test6() is done. Any transformations or filtering pf has to apply is already done then. In essence all this patch does is make sure we don’t take a second pass through pf with the refragmented packets. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58A9FC24-0D85-482F-8903-86FC646CB45A>