From nobody Tue Feb 06 20:48:15 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TTwLl4R12z59wdq for ; Tue, 6 Feb 2024 20:48:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TTwLl1cdQz4Tbn for ; Tue, 6 Feb 2024 20:48:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707252495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ru7gdMkkaUrLt5S5L+SWJgeDvX8KqfFXKmG+ovw7pTQ=; b=fuZLfTiseha3P2dZ0cI3QEXDf+MJXbzWw2/SanajJBZav7JXfpIYXphc7yI4IcL44o1G1B 07Ln9xCGbY3Mih5KFRZFuWWmNkFTOE16mSrogBEg5MAlGiulBH4Fv+G4pTkdn54FDEO8sZ q3ndsZVWuJJ3wdPutZPI47Wuty0kKBS64Bfxvk9WrrquRM062VzmYbClE9rpzeBSzUWhRf QmgTV4jTR8Gud6AkSUXr2ZS6i10rs/cacvis0OJuTqcBH7nXGVNcp4+E8NXNuI/prvC/9b HzwmrKgXWIr1dOdqfgLLFjhACnkzkEvC8KI4iE7mvoErjA8id//vp7R98lWLTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707252495; a=rsa-sha256; cv=none; b=VFnLVJx5rUcQ+lEjLwySgtdFcg8HFoInRww6ljdqEVjvAFlv05XMMuCMxPmyUftzOB5J9X wbXRBKSM1ldlna2f81/E6CmLX3sv+JPbBLsFeQUG7ghV134gGhkGGnS8FPU07o7eUJaFbD BhZoEkDz/5Ub6zNaQxU1crrompzUzkRFfO+Zc0nhoMjlLGyQR4KOWqzRwdQqMa0+2ziWil SJmk8brR319M+CLlY+BC0sSoxs447ht3I0RAHVvif7pXIkGWnKuE5Wjq3BcTo/ILUzeNI2 KFg4zAd7pZz8pXfcclT0520ygJrEtmpcm20jUvlvJp7QVwmphtVI2oEikdbOBQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TTwLl0Z4jzfHv for ; Tue, 6 Feb 2024 20:48:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 416KmEIa030351 for ; Tue, 6 Feb 2024 20:48:14 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 416KmEee030350 for bugs@FreeBSD.org; Tue, 6 Feb 2024 20:48:14 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 276856] pf no longer re-assembles fragments by default Date: Tue, 06 Feb 2024 20:48:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: mgrooms@shrew.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276856 Bug ID: 276856 Summary: pf no longer re-assembles fragments by default Product: Base System Version: 14.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: mgrooms@shrew.net At some point pf on FreeBSD switched the default behavior for this option s= o I had since removed it from the config of several of firewalls ... fragment reassemble Using scrub rules, fragments can be reassembled by normalization. In this case, fragments are buffered until they form a complete packet, and only the completed packet is passed on to the filter. The advantage is that filter rules have to deal only with comple= te packets, and can ignore fragments. The drawback of caching fragments is the additional memory cost. This is the default behaviour unless no fragment reassemble is specified. no fragment reassemble Do not reassemble fragments. However, while building a firewall using 14-RELEASE, I realized that fragme= nted IPsec ESP packets were not being re-assembled for processing by pf. After adding this line back into my pf.conf file and reloading, the traffic start= ed flowing as expected ... scrub fragment reassemble My guess is that either the default behavior was reverted unintentionally or the the man page was never modified to match the new-new (old) behavior. Ei= ther way, it's very misleading. --=20 You are receiving this mail because: You are the assignee for the bug.=