Re: npf questions

To: netbsd-users%netbsd.org@localhost
Subject: Re: npf questions
From: Paul Ripke <stix%stix.id.au@localhost>
Date: Tue, 15 Dec 2020 10:57:59 +1100

On Tue, Dec 01, 2020 at 09:37:05AM -0500, Greg Troxel wrote:
> * fragments
> 
> The documentation says npf reassembles fragments.  That makes sense,
> because that way rules can be applied to the whole packet, and fragments
> can't be used to bypass the filter.
> 
> One of my systems is logging IPv6 multicast mdns fragments as blocked,
> even though that's allowed.  It seems that with the plan of fragments
> being reassembled, those should have been reassembled and then had rules
> applied.
> 
> Does the fragment reassembly work for broadcast/multicast IPv6?

I note that this behaviour has changed; in netbsd-9.1, reassembly
appears off by default, controlled by a pair of bools, see
npf-params(7).

(I recently spent too long figuring this out, which was breaking
inbound SIP for me).

-- 
Paul Ripke
"Great minds discuss ideas, average minds discuss events, small minds
 discuss people."
-- Disputed: Often attributed to Eleanor Roosevelt. 1948.

References:
- npf questions
  - From: Greg Troxel

Prev by Date: Build problem with NetBSD 9_Stable amd64 (tools/nbmakestrs?)
Next by Date: Re: Build problem with NetBSD 9_Stable amd64 (tools/nbmakestrs?)
Previous by Thread: Re: npf questions
Next by Thread: FYI, ansible will support NetBSD OS family config, starting from ansible v2.11
Indexes:

Home | Main Index | Thread Index | Old Index