* Maxim Khitrov <m...@mxcrypt.com> [2013-07-25 17:29]: > To reassemble fragmented > packets with the DF flag set, one has to use "set reassemble yes > no-df" option.
correct. > By the time any scrub rules are applied, the packet is > already reassembled not necessarily - one can turn reassembly off. > so "scrub (no-df)" simply clears the DF flag for > all _complete_ packets (pf_scrub in sys/net/pf_norm.c). pretty much. > I don't see how this fixes problems with fragmented NFS packets, and I > suspect that this breaks legitimate uses of DF, such as MTU discovery. well, no-df kinda "breaks" PMTUD by definition; the pf host then reassembles anyway. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
