summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorMike Frantzen <frantzen@cvs.openbsd.org>2003-03-09 22:02:46 +0000
committerMike Frantzen <frantzen@cvs.openbsd.org>2003-03-09 22:02:46 +0000
commitf5d4382e58dc1b8ee5c2a075da1d82857c5d6590 (patch)
treed8de17dfd57eedd4efc8561969c42ec45f3208b6 /share
parentfceee9e0821bac5eb436deb41e08c2d157b25ef4 (diff)
- document that scrub 'no-df' is sometimes necessary for "certain" OS's NFS
- suggest 'random-id' with 'no-df' since "certain" OSes set ip->ip_id to zero ok deraadt@ henning@
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/pf.conf.524
1 files changed, 23 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index c58b0d752a9..907f9c716b2 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.209 2003/03/06 04:03:40 david Exp $
+.\" $OpenBSD: pf.conf.5,v 1.210 2003/03/09 22:02:45 frantzen Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -446,6 +446,28 @@ has the following options:
Clears the
.Ar dont-fragment
bit from a matching ip packet.
+Some operating systems are known to generate fragmented packets with the
+.Ar dont-fragment
+bit set. This is particularly true with NFS.
+.Ar Scrub
+will drop such fragmented
+.Ar dont-fragment
+packets unless
+.Ar no-df
+is specified.
+.Pp
+Unfortunately some operating systems also generate their
+.Ar dont-fragment
+packets that all contain a zero IP identification field.
+Clearing the
+.Ar dont-fragment
+bit on packets with a zero IP ID may cause deleterious results if an
+upstream router later fragments the packet.
+Using the below mentioned
+.Ar random-id
+modifier is recommended in combination with the
+.Ar no-df
+modifier to insure unique IP identifiers.
.It Ar min-ttl <number>
Enforces a minimum ttl for matching ip packets.
.It Ar max-mss <number>