From 268bcc476d57b2b9617025eb6e3df88d03877431 Mon Sep 17 00:00:00 2001 From: Philipp Buehler Date: Wed, 11 Jun 2003 17:03:10 +0000 Subject: document that is is unsupported to use return-rst/icmp or synproxy on bridging firewalls henning@ ok, spelling fixes from jmc@ --- share/man/man4/bridge.4 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'share/man/man4') diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4 index 4480515699a..08c65045a39 100644 --- a/share/man/man4/bridge.4 +++ b/share/man/man4/bridge.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bridge.4,v 1.50 2003/06/06 10:29:41 jmc Exp $ +.\" $OpenBSD: bridge.4,v 1.51 2003/06/11 17:03:09 pb Exp $ .\" .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net) .\" All rights reserved. @@ -584,6 +584,16 @@ and destination addresses reversed between interfaces, two state entries (one for each direction) are required when all interfaces are filtered statefully. .Pp +It is unsupported to use filter rules which would generate packets. +This applies to rules with +.Ar return , +.Ar return-rst , +.Ar return-icmp , +.Ar return-icmp6 +or +.Ar synproxy +defined. +.Pp If an IP packet is too large for the outgoing interface the bridge will perform IP fragmentation. This can happen when bridge members -- cgit v1.2.3