summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpiso <piso@FreeBSD.org>2009-04-05 15:24:27 +0000
committerpiso <piso@FreeBSD.org>2009-04-05 15:24:27 +0000
commit30d15f06f1df7487f207c55cacbc1ea43eb39559 (patch)
tree448582a9db3688ce16a6a9187475365930ad70a0
parentbf0cde780f6b8e0ccb209add2d686963706d9e78 (diff)
downloadFreeBSD-src-30d15f06f1df7487f207c55cacbc1ea43eb39559.zip
FreeBSD-src-30d15f06f1df7487f207c55cacbc1ea43eb39559.tar.gz
Improve a bit reass documentation:
-document fragment handling sysctls -mention some caveats about fragments handling (and to deal with it)
-rw-r--r--sbin/ipfw/ipfw.825
1 files changed, 25 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 4cc2f9e..ecf709b 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -873,6 +873,31 @@ If the packet is the last logical fragment, the packet is reassembled and, if
.Va net.inet.ip.fw.one_pass
is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates.
If the packet is a fragment in the middle, it is consumed and processing stops immediately.
+.Pp
+Fragments handling can be tuned via
+.Va net.inet.ip.maxfragpackets
+and
+.Va net.inet.ip.maxfragsperpacket
+which limit, respectively, the maximum number of processable fragments (default: 800) and
+the maximum number of fragments per packet (default: 16).
+.Pp
+NOTA BENE: since fragments don't contain port numbers, beware not to use them whe issuing a
+.Nm reass
+rule. Alternatively, direction-based (like
+.Nm in
+/
+.Nm out
+) and source-based (like
+.Nm via
+) match patterns can be used to select fragments.
+.Pp
+Usually a simple rule like:
+.Bd -literal -offset indent
+# reassemble incoming fragments
+ipfw add reass all from any to any in
+.Ed
+.Pp
+is all you need at the beginning of your ruleset.
.El
.Ss RULE BODY
The body of a rule contains zero or more patterns (such as
OpenPOWER on IntegriCloud