Hi, The no-df flag can be specified in the "set reassemble" option or a "scrub" rule. From looking at the source, I don't think "scrub (no-df)" does what the man page says it does. To reassemble fragmented packets with the DF flag set, one has to use "set reassemble yes no-df" option. By the time any scrub rules are applied, the packet is already reassembled, so "scrub (no-df)" simply clears the DF flag for all _complete_ packets (pf_scrub in sys/net/pf_norm.c).
I don't see how this fixes problems with fragmented NFS packets, and I suspect that this breaks legitimate uses of DF, such as MTU discovery. Is the documentation wrong (possibly from before OpenBSD 4.6, when scrub was a separate option) or am I misinterpreting the code? - Max
