Hello,
On Wed, Nov 22, 2017 at 01:45:39PM +0100, Alexander Bluhm wrote:
> On Wed, Nov 22, 2017 at 09:49:06AM +0100, Alexandr Nedvedicky wrote:
> > > /* if reassembled packet passed, create new fragments */
> > > - if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD) {
> > > + if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD &&
> > > + pd.af == AF_INET6) {
> > > struct m_tag *mtag;
> > >
> > > if ((mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)))
> >
> > I wonder whether the test 'fwdir == PF_FWD' is correct. I need to think more
> > about what happens to reassembled packets in PF_OUT direction. I suggest to
> > deal with it in separate thread.
>
> IPv6 routers are not allowed to fragment. We have end to end path
> MTU discovery. As pf analyzes reassembled packets, we have to
> fragment them to the same size after forwarding. This is only done
> for IPv6 to preserve PMTU.
>
> For non-forwarded outgoing packets we use the regular fragment code
> in ip6_output(). ip_output() will handle all IPv4 fragments.
thank you for putting my feet back to ground. Now I see it, the
local outbound packets are inspected by pf_test() first and then get
fragmented.
regards
sasha
