Date: Sun, 5 Apr 2009 15:24:27 +0000 (UTC) From: Paolo Pisati <piso@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r190714 - head/sbin/ipfw Message-ID: <200904051524.n35FORM8021539@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: piso Date: Sun Apr 5 15:24:27 2009 New Revision: 190714 URL: http://svn.freebsd.org/changeset/base/190714 Log: Improve a bit reass documentation: -document fragment handling sysctls -mention some caveats about fragments handling (and to deal with it) Modified: head/sbin/ipfw/ipfw.8 Modified: head/sbin/ipfw/ipfw.8 ============================================================================== --- head/sbin/ipfw/ipfw.8 Sun Apr 5 15:06:02 2009 (r190713) +++ head/sbin/ipfw/ipfw.8 Sun Apr 5 15:24:27 2009 (r190714) @@ -873,6 +873,31 @@ If the packet is the last logical fragme .Va net.inet.ip.fw.one_pass is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates. If the packet is a fragment in the middle, it is consumed and processing stops immediately. +.Pp +Fragments handling can be tuned via +.Va net.inet.ip.maxfragpackets +and +.Va net.inet.ip.maxfragsperpacket +which limit, respectively, the maximum number of processable fragments (default: 800) and +the maximum number of fragments per packet (default: 16). +.Pp +NOTA BENE: since fragments don't contain port numbers, beware not to use them whe issuing a +.Nm reass +rule. Alternatively, direction-based (like +.Nm in +/ +.Nm out +) and source-based (like +.Nm via +) match patterns can be used to select fragments. +.Pp +Usually a simple rule like: +.Bd -literal -offset indent +# reassemble incoming fragments +ipfw add reass all from any to any in +.Ed +.Pp +is all you need at the beginning of your ruleset. .El .Ss RULE BODY The body of a rule contains zero or more patterns (such as
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904051524.n35FORM8021539>