summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2011-03-25 11:09:39 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2011-03-25 11:09:39 +0000
commit25e007c7a6d4ee41a23327c7b803a1223dcbc6eb (patch)
treec3e4bc020b86358d1aa4e7450285344a2190c94b
parentf8085cb4f10da81f64e6026fe132a9bcbcf50a6a (diff)
Pf can reassemble IPv6 fragments now.
ok jmc@
-rw-r--r--share/man/man5/pf.conf.510
1 files changed, 6 insertions, 4 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index e777c1ffd24..64cdb31deda 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.489 2011/02/01 17:31:47 jmc Exp $
+.\" $OpenBSD: pf.conf.5,v 1.490 2011/03/25 11:09:38 bluhm Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: February 1 2011 $
+.Dd $Mdocdate: March 25 2011 $
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -2322,8 +2322,10 @@ Once this limit is reached, fragments that would have to be cached
are dropped until other entries time out.
The timeout value can also be adjusted.
.Pp
-Currently, only IPv4 fragments are supported and IPv6 fragments
-are blocked unconditionally.
+When forwarding reassembled IPv6 packets, pf refragments them with
+the original maximum fragment size.
+This allows the sender to determine the optimal fragment size by
+path MTU discovery.
.Ss Blocking Spoofed Traffic
Spoofing is the faking of IP addresses,
typically for malicious purposes.