CC'ing back to the mailing list for a sender who ignored my request
to keep replies on the list.
> You answered at the Mailinglist:
> "If you want to do the "reassemble tcp" things then you would need to
>
> use it in your ruleset, they are different to the IP packet reassembly
> controlled by "set reassemble". It's a bit unfortunate that they use
> the same word in the option name."
>
> As a NON native Speaker: Wait... WHAT?! I understood it exactly like
> the Person asking the Question that if you use "set reassemble yes" it
> does the Job.
>
> I suggest a CHANGE:
> set reassemble_ip
> set reassemble_tcp
> set reassemble (does it all)
>
> If this is no Solution would you please reconsider to phrase the Manual
> better.
The manual is already clear.
set reassemble yes | no [no-df]
The reassemble option is used to enable or disable the
reassembly of fragmented packets, and can be set to yes (the
default) or no. If no-df is also specified, fragments with the
...
reassemble tcp
Statefully normalises TCP connections. reassemble tcp performs
the following normalisations:
TTL
[...]
Timestamp Modulation
[...]
Extended PAWS Checks
[...]
I suppose we could change pfctl "reassemble tcp" to "normalise tcp" (and
allow "reassemble" as a synonym to avoid breaking existing configs).
Not sure if it's worth it though, people using the more advanced options
in PF certainly need to read the manual.
