[Bug 276856] pf no longer re-assembles fragments by default

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 07 Feb 2024 10:01:20 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276856

Kajetan Staszkiewicz <vegeta@tuxpowered.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vegeta@tuxpowered.net

--- Comment #2 from Kajetan Staszkiewicz <vegeta@tuxpowered.net> ---
You might want to consider using the new OpenBSD-compatible syntax. Instead of
using scrub rules, which are evaluated statelessly for each packet, you can
enable fragment reassembly with a single "set reassemble yes" option at the top
of pf.conf.

There have been some updates to the man page to better describe the behaviour
change, I don't think they got to FreeBSD 14.0, though.

You are right, though, about behaviour change. The problem is that if scrub
rules are not present, new syntax is in charge, and for this syntax the default
is to not perform reassembly. The comment in the code is quite clear on the
logic behind it: we expect people to still have the old style scrub rules in
place. 

I've just missed the fact that scrub rules reassemble packets even when they
are not present (Do they? I need to check that, I never relied on packet
reassembly in my systems.)

I'll talk with kp@ how to address it.

-- 
You are receiving this mail because:
You are the assignee for the bug.