On Thursday 20 August 2009, Matthew Dempsky wrote:
> According to pf.conf:
>
> If no-df is given, fragments with the dont-fragment bit set have
> it cleared before entering the fragment cache, and thus the
> reassembled packet doesn't have dont-fragment set either.
>
> But from reading the code, and from experimentation, this seems
> backwards: dont-fragment bits are cleared by default, and if no-df is
> set then fragmented packets marked as dont-fragment are discarded.
>
> The .org name servers set dont-fragment on all response packets, even
> fragmented ones, so a simple test case is:
>
> $ dig +dnssec +bufsize=4096 -t any org @a0.org.afilias-nst.info
The documentation is correct, however the code was not. This has just been
fixed in r1.120 of pf_norm.c. Thanks for the report.
--
----------------------------------------------------------------------------
=> Joel Sing | [email protected] | 0419 577 603 <=
----------------------------------------------------------------------------
"Stop assuming that systems are secure unless demonstrated insecure;
start assuming that systems are insecure unless designed securely."
- Bruce Schneier
