diff options
author | piso <piso@FreeBSD.org> | 2009-04-05 15:24:27 +0000 |
---|---|---|
committer | piso <piso@FreeBSD.org> | 2009-04-05 15:24:27 +0000 |
commit | 30d15f06f1df7487f207c55cacbc1ea43eb39559 (patch) | |
tree | 448582a9db3688ce16a6a9187475365930ad70a0 | |
parent | bf0cde780f6b8e0ccb209add2d686963706d9e78 (diff) | |
download | FreeBSD-src-30d15f06f1df7487f207c55cacbc1ea43eb39559.zip FreeBSD-src-30d15f06f1df7487f207c55cacbc1ea43eb39559.tar.gz |
Improve a bit reass documentation:
-document fragment handling sysctls
-mention some caveats about fragments handling (and to deal with it)
-rw-r--r-- | sbin/ipfw/ipfw.8 | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 4cc2f9e..ecf709b 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -873,6 +873,31 @@ If the packet is the last logical fragment, the packet is reassembled and, if .Va net.inet.ip.fw.one_pass is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates. If the packet is a fragment in the middle, it is consumed and processing stops immediately. +.Pp +Fragments handling can be tuned via +.Va net.inet.ip.maxfragpackets +and +.Va net.inet.ip.maxfragsperpacket +which limit, respectively, the maximum number of processable fragments (default: 800) and +the maximum number of fragments per packet (default: 16). +.Pp +NOTA BENE: since fragments don't contain port numbers, beware not to use them whe issuing a +.Nm reass +rule. Alternatively, direction-based (like +.Nm in +/ +.Nm out +) and source-based (like +.Nm via +) match patterns can be used to select fragments. +.Pp +Usually a simple rule like: +.Bd -literal -offset indent +# reassemble incoming fragments +ipfw add reass all from any to any in +.Ed +.Pp +is all you need at the beginning of your ruleset. .El .Ss RULE BODY The body of a rule contains zero or more patterns (such as |