[Bug 276856] pf no longer re-assembles fragments by default

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276856

--- Comment #4 from Michal Scigocki <michal.os@hotmail.com> ---
(In reply to mgrooms from comment #3)
What version of FreeBSD were you using where the default behaviour worked with
your IPSec flows?

And before you added the "scrub fragment reassemble" config, did you have any
"scrub" statements in the config, or no "scrub" config statements?

(In reply to Kajetan Staszkiewicz from comment #2)
For FreeBSD 14.0, I think using "scrub" rules may be a work-around to a broader
issue. I think pf in 14.0 is not processing fragmented packets correctly.

I tried another test, using an empty pf.conf (default pass rule). Monitoring
the network interface with tcpdump, sending a large ping (2000 data bytes, so
it will fragment). With pf running, the ping REQUEST is captured on the
interface, but the host does not REPLY. If I repeat this with pf stopped, I get
both REQUEST and REPLY.

If I do the same test on 13.2 and 15.0, I get both REQUEST and REPLY with pf
running. 14.0 is doing something different with the fragmented packets.

-- 
You are receiving this mail because:
You are the assignee for the bug.