Date: Mon, 12 Nov 2007 16:33:18 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Max Laier <max@love2party.net> Cc: Dag-Erling Sm?rgrav <des@des.no>, freebsd-net@freebsd.org Subject: Re: pf misfeature Message-ID: <20071112153318.GE28276@insomnia.benzedrine.cx> In-Reply-To: <200711090059.54990.max@love2party.net> References: <86zlxoblmj.fsf@ds4.des.no> <200711082259.46222.max@love2party.net> <86fxzgl63d.fsf@ds4.des.no> <200711090059.54990.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:
> Daniel, do you spot anything strange with these skip steps (or otherwise)?
The problem is the lack of IP reassembly in this configuration.
In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is skipped.
Generally, stateful filtering _requires_ IP reassembly. As long as no
fragmentation occurs, it works even without reassembly. I suspect your
UDP NFS traffic is fragmented.
Try adding
scrub in on $if all fragment reassemble
at the top.
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071112153318.GE28276>