svn commit: r281164 - head/sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Mon Apr 6 21:17:01 UTC 2015
> On 06 Apr 2015, at 22:50, Richard Tector <richardtector at thekeelecentre.com> wrote:
>
> I was just wondering how this affects the case where we might have if-bound rules?
>
> Really basic example:
>
> pass quick on $outside_if inet6 proto udp from any to $myhost
> block drop quick on $inside_if inet6 proto udp from any to $myhost port $secret_svc
> pass quick on $inside_if inet6 proto udp from any to $myhost
>
> If the fragments generated after processing occurs on the inbound interface are then marked to be skipped then will they therefore not be matched by the drop rule in the example above?
>
It should be fine. The refragmentation isn’t done until after all of the processing in pf_test6() is done.
Any transformations or filtering pf has to apply is already done then.
In essence all this patch does is make sure we don’t take a second pass through pf with the refragmented packets.
Regards,
Kristof
More information about the svn-src-head
mailing list