On Thu, 21 Nov 2002, Dries Schellekens wrote:
> On Tue, 19 Nov 2002, Daniel Hartmeier wrote:
>
> > /usr/src/sys/net/pf_norm.c
> >
> > --- pf_norm.c.orig Tue Nov 19 12:26:29 2002
> > +++ pf_norm.c Tue Nov 19 12:26:52 2002
> > @@ -835,12 +835,6 @@
> > if (!fragoff && !mff)
> > goto no_fragment;
> >
> > - /* This can not happen */
> > - if (h->ip_off & IP_DF) {
> > - DPFPRINTF(("IP_DF\n"));
> > - goto bad;
> > - }
> > -
> > ip_len = h->ip_len - hlen;
> > ip_off = h->ip_off << 3;
>
> Isn't it a better solution to make the clear the IP_DF bit if PFRULE_NODF
Leave out the "make the" and this sentence makes more sense ;-)
> is specified? Because pf.conf(5) states that "no-df clears the
> dont-fragment bit from a matching ip packet".
So if (r->rule_flag & PFRULE_NODF) then clear IP_DF, else goto bad.
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
