diff options
author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-03-09 22:02:46 +0000 |
---|---|---|
committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-03-09 22:02:46 +0000 |
commit | f5d4382e58dc1b8ee5c2a075da1d82857c5d6590 (patch) | |
tree | d8de17dfd57eedd4efc8561969c42ec45f3208b6 /share | |
parent | fceee9e0821bac5eb436deb41e08c2d157b25ef4 (diff) |
- document that scrub 'no-df' is sometimes necessary for "certain" OS's NFS
- suggest 'random-id' with 'no-df' since "certain" OSes set ip->ip_id to zero
ok deraadt@ henning@
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man5/pf.conf.5 | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index c58b0d752a9..907f9c716b2 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.209 2003/03/06 04:03:40 david Exp $ +.\" $OpenBSD: pf.conf.5,v 1.210 2003/03/09 22:02:45 frantzen Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -446,6 +446,28 @@ has the following options: Clears the .Ar dont-fragment bit from a matching ip packet. +Some operating systems are known to generate fragmented packets with the +.Ar dont-fragment +bit set. This is particularly true with NFS. +.Ar Scrub +will drop such fragmented +.Ar dont-fragment +packets unless +.Ar no-df +is specified. +.Pp +Unfortunately some operating systems also generate their +.Ar dont-fragment +packets that all contain a zero IP identification field. +Clearing the +.Ar dont-fragment +bit on packets with a zero IP ID may cause deleterious results if an +upstream router later fragments the packet. +Using the below mentioned +.Ar random-id +modifier is recommended in combination with the +.Ar no-df +modifier to insure unique IP identifiers. .It Ar min-ttl <number> Enforces a minimum ttl for matching ip packets. .It Ar max-mss <number> |