pf: allow scrub rules without fragment reassemble
ClosedPublic
Actions

Authored by kp on Nov 22 2022, 3:27 PM.

Details

Reviewers

None

Group Reviewers

network
pfsense

Commits

rG57e047e51c6d: pf: allow scrub rules without fragment reassemble

Summary

scrub rules have defaulted to handling fragments for a long time, but
since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611
this has become less obvious and more expensive ("reassemble" being the
more expensive option, even if it's the one the vast majority of users
should be using).

Extent the 'scrub' syntax to allow fragment reassembly to be disabled,
while retaining the other scrub behaviour (e.g. TTL changes, random-id,
..) using 'scrub fragment no reassemble'.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Nov 22 2022, 3:27 PM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptNov 22 2022, 3:27 PM

kp requested review of this revision.Nov 22 2022, 3:27 PM

Harbormaster completed remote builds in B48447: Diff 113406.Nov 22 2022, 3:27 PM

kp added a child revision: D37460: pf: drop support for fragment crop|drop-ovl.Nov 22 2022, 3:28 PM

that seems like a POLA violation which will go unnoticed

how about instead requiring a policy? people will complain about configs which no longer autoload, but that's better than behavior changing without easily visible side effects.

that's assuming the change is worth it to begin with

In D37459#851798, @mjg wrote:

that seems like a POLA violation which will go unnoticed

how about instead requiring a policy? people will complain about configs which no longer autoload, but that's better than behavior changing without easily visible side effects.

that's assuming the change is worth it to begin with

The way it's currently documented is a bit ambiguous, but it could certainly be read as documenting the previous behaviour.
Perhaps the way to go is to support a 'scrub fragment noreassemble' to turn reassembly off, leaving the previous behaviour intact, but allowing users to opt out of reassembly while preserving the other scrub actions.

I'll update this patch to do that instead.

kp updated this revision to Diff 113483.Nov 24 2022, 10:45 AM

kp retitled this revision from pf: do not default "fragment reassemble" to on to pf: allow scrub rules without fragment reassemble.

kp edited the summary of this revision. (Show Details)

This revision was not accepted when it landed; it landed in state Needs Review.Nov 28 2022, 7:23 PM

Closed by commit rG57e047e51c6d: pf: allow scrub rules without fragment reassemble (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rG57e047e51c6d: pf: allow scrub rules without fragment reassemble.