diff options
author | kp <kp@FreeBSD.org> | 2015-08-27 21:27:47 +0000 |
---|---|---|
committer | kp <kp@FreeBSD.org> | 2015-08-27 21:27:47 +0000 |
commit | 2a1a59d8e1c46cc8561f02b5a184abab46e3b7d4 (patch) | |
tree | 9ba100542f23930b13f3b6387f6c00d2bd5f2016 /share/man/man5/pf.conf.5 | |
parent | c7248d07606bf4db17d97f155ab15f66110f0fda (diff) | |
download | FreeBSD-src-2a1a59d8e1c46cc8561f02b5a184abab46e3b7d4.zip FreeBSD-src-2a1a59d8e1c46cc8561f02b5a184abab46e3b7d4.tar.gz |
pf: Remove support for 'scrub fragment crop|drop-ovl'
The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse
users into making poor choices.
It's also a fairly large amount of complex code, so just remove the support
altogether.
Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be
implicitly converted to 'scrub fragment reassemble'.
Reviewed by: gnn, eri
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D3466
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r-- | share/man/man5/pf.conf.5 | 30 |
1 files changed, 1 insertions, 29 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 02cd341..2d74a8d 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -666,33 +666,6 @@ packet, and only the completed packet is passed on to the filter. The advantage is that filter rules have to deal only with complete packets, and can ignore fragments. The drawback of caching fragments is the additional memory cost. -But the full reassembly method is the only method that currently works -with NAT. -This is the default behavior of a -.Ar scrub -rule if no fragmentation modifier is supplied. -.It Ar fragment crop -The default fragment reassembly method is expensive, hence the option -to crop is provided. -In this case, -.Xr pf 4 -will track the fragments and cache a small range descriptor. -Duplicate fragments are dropped and overlaps are cropped. -Thus data will only occur once on the wire with ambiguities resolving to -the first occurrence. -Unlike the -.Ar fragment reassemble -modifier, fragments are not buffered, they are passed as soon as they -are received. -The -.Ar fragment crop -reassembly mechanism does not yet work with NAT. -.It Ar fragment drop-ovl -This option is similar to the -.Ar fragment crop -modifier except that all overlapping or duplicate fragments will be -dropped, and all further corresponding fragments will be -dropped as well. .It Ar reassemble tcp Statefully normalizes TCP connections. .Ar scrub reassemble tcp @@ -2987,8 +2960,7 @@ state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" | "overload" "\*(Lt" string "\*(Gt" [ "flush" ] | "if-bound" | "floating" ) -fragmentation = [ "fragment reassemble" | "fragment crop" | - "fragment drop-ovl" ] +fragmentation = [ "fragment reassemble" ] timeout-list = timeout [ [ "," ] timeout-list ] timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | |