On Wed, Nov 22, 2017 at 09:49:06AM +0100, Alexandr Nedvedicky wrote:
> > /* if reassembled packet passed, create new fragments */
> > - if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD) {
> > + if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD &&
> > + pd.af == AF_INET6) {
> > struct m_tag *mtag;
> >
> > if ((mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)))
>
> I wonder whether the test 'fwdir == PF_FWD' is correct. I need to think more
> about what happens to reassembled packets in PF_OUT direction. I suggest to
> deal with it in separate thread.
IPv6 routers are not allowed to fragment. We have end to end path
MTU discovery. As pf analyzes reassembled packets, we have to
fragment them to the same size after forwarding. This is only done
for IPv6 to preserve PMTU.
For non-forwarded outgoing packets we use the regular fragment code
in ip6_output(). ip_output() will handle all IPv4 fragments.
bluhm
