pf: Update documentation regarding matching, scrubbing and reassembly
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Oct 17 2023, 6:35 PM.

Details

Reviewers

Commits

rG5ed470bdb9da: pf: Update documentation regarding matching, scrubbing and reassembly

Summary

Update pf documentation:

default behaviour of fragment reassembly
introduction of scrub option for filter rules
disadvantages of using the old scrub ruleset
options supported for match rules
fix missing list block end
remove duplicate description of match filter rule
update example to modern syntax

Sponsored by: InnoGames GmbH
Fragments obtained from: OpenBSD

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

vegeta_tuxpowered.net created this revision.Oct 17 2023, 6:35 PM

Herald added a subscriber: imp. · View Herald TranscriptOct 17 2023, 6:35 PM

vegeta_tuxpowered.net requested review of this revision.Oct 17 2023, 6:35 PM

Update man page's date.

Yay, documentation! The best kind, written by someone else :)

share/man/man5/pf.conf.5
491	We say that 'yes' is default twice. Once should be enough. I'm also not entirely clear on where we set this default. I can't find it in pfctl or the kernel.
785	spoofed traffic?
958	That's probably better as two separate sentences. (I.e. "This means excessive usage of them will cause performance a penalty. scrub reassemble tcp rules must not have the direction (in/out) specified."
3049	Normalize or reassemble?

vegeta_tuxpowered.net marked 4 inline comments as done.Oct 18 2023, 11:39 AM

vegeta_tuxpowered.net added inline comments.

share/man/man5/pf.conf.5

491

You are right, I thought I've imported it from OpenBSD with the same defaults, but I did not:

pf_ioctl.c:

	/*
	 * XXX This is different than in OpenBSD where reassembly is enabled by
	 * defult. In FreeBSD we expect people to still use scrub rules and
	 * switch to the new syntax later. Only when they switch they must
	 * explicitly enable reassemle. We could change the default once the
	 * scrub rule functionality is hopefully removed some day in future.
	 */
	V_pf_status.reass = 0;

I'll update the documentation.

785

That is the part imported from OpenBSD, I'll fix it nevertheless.

vegeta_tuxpowered.net updated this revision to Diff 128981.Oct 18 2023, 11:41 AM

vegeta_tuxpowered.net marked 2 inline comments as done.

Thank you! I think the project insists that the documentation be in American English:

🇬🇧	🇺🇸
normalisation	normalization
sanitising	sanitizing
behaviour	behavior

In D42270#964457, @jlduran_gmail.com wrote:

Thank you! I think the project insists that the documentation be in American English:

🇬🇧 🇺🇸

normalisation normalization

sanitising sanitizing

behaviour behavior

That does not appear to be the case for this man page. There are 7 instances of 'behaviour' already in the man page. On the other hand, there is also 'NORMALIZATION', so I'll fix that one before I commit this.

I'm a little torn on the others. For this commit I'm not going to change them, but it might be good to do a consistency pass on the entire man page. On the other hand, sticking closer to upstream is also not a bad thing. (Upstream appears to prefer UK English spelling for the man page, but then uses 'optimization' in the actual pf keyword.)

This revision was not accepted when it landed; it landed in state Needs Review.Oct 19 2023, 8:52 AM

Closed by commit rG5ed470bdb9da: pf: Update documentation regarding matching, scrubbing and reassembly (authored by vegeta_tuxpowered.net, committed by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rG5ed470bdb9da: pf: Update documentation regarding matching, scrubbing and reassembly.

des mentioned this in rG9f3032b76b3c: pf tests: Add option to send fragmented packets.Wed, Apr 24, 10:13 PM