> On 06 Apr 2015, at 22:50, Richard Tector <richardtec...@thekeelecentre.com> > wrote: > > I was just wondering how this affects the case where we might have if-bound > rules? > > Really basic example: > > pass quick on $outside_if inet6 proto udp from any to $myhost > block drop quick on $inside_if inet6 proto udp from any to $myhost port > $secret_svc > pass quick on $inside_if inet6 proto udp from any to $myhost > > If the fragments generated after processing occurs on the inbound interface > are then marked to be skipped then will they therefore not be matched by the > drop rule in the example above? > It should be fine. The refragmentation isn’t done until after all of the processing in pf_test6() is done. Any transformations or filtering pf has to apply is already done then.
In essence all this patch does is make sure we don’t take a second pass through pf with the refragmented packets. Regards, Kristof _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
