[Bug 276856] pf no longer re-assembles fragments by default

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276856

            Bug ID: 276856
           Summary: pf no longer re-assembles fragments by default
           Product: Base System
           Version: 14.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: mgrooms@shrew.net

At some point pf on FreeBSD switched the default behavior for this option so I
had since removed it from the config of several of firewalls ...

     fragment reassemble
           Using scrub rules, fragments can be reassembled by normalization.
           In this case, fragments are buffered until they form a complete
           packet, and only the completed packet is passed on to the filter.
           The advantage is that filter rules have to deal only with complete
           packets, and can ignore fragments.  The drawback of caching
           fragments is the additional memory cost.  This is the default
           behaviour unless no fragment reassemble is specified.

     no fragment reassemble
           Do not reassemble fragments.

However, while building a firewall using 14-RELEASE, I realized that fragmented
IPsec ESP packets were not being re-assembled for processing by pf. After
adding this line back into my pf.conf file and reloading, the traffic started
flowing as expected ...

scrub fragment reassemble

My guess is that either the default behavior was reverted unintentionally or
the the man page was never modified to match the new-new (old) behavior. Either
way, it's very misleading.

-- 
You are receiving this mail because:
You are the assignee for the bug.