svn commit: r190714 - head/sbin/ipfw

Paolo Pisati piso at
Sun Apr 5 08:24:28 PDT 2009

Author: piso
Date: Sun Apr  5 15:24:27 2009
New Revision: 190714

  Improve a bit reass documentation:
  -document fragment handling sysctls
  -mention some caveats about fragments handling (and to deal with it)


Modified: head/sbin/ipfw/ipfw.8
--- head/sbin/ipfw/ipfw.8	Sun Apr  5 15:06:02 2009	(r190713)
+++ head/sbin/ipfw/ipfw.8	Sun Apr  5 15:24:27 2009	(r190714)
@@ -873,6 +873,31 @@ If the packet is the last logical fragme
 .Va net.inet.ip.fw.one_pass
 is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates.
 If the packet is a fragment in the middle, it is consumed and processing stops immediately.
+Fragments handling can be tuned via
+.Va net.inet.ip.maxfragpackets
+.Va net.inet.ip.maxfragsperpacket
+which limit, respectively, the maximum number of processable fragments (default: 800) and
+the maximum number of fragments per packet (default: 16).
+NOTA BENE: since fragments don't contain port numbers, beware not to use them whe issuing a
+.Nm reass
+rule. Alternatively, direction-based (like 
+.Nm in
+.Nm out
+) and source-based (like
+.Nm via
+) match patterns can be used to select fragments.
+Usually a simple rule like:
+.Bd -literal -offset indent
+# reassemble incoming fragments
+ipfw add reass all from any to any in
+is all you need at the beginning of your ruleset.
 The body of a rule contains zero or more patterns (such as

More information about the svn-src-head mailing list