IPFW Does reass require one_pass=0 if using kernel nat


New Member

Messages: 17


I'm trying to switch from natd to kernel nat and subj question raised.
Using natd all fragmented packets were reassembled before delivery to the socket (according to ipfw man). Nothing mentioned about kernel nat. Does it behave in the same way or I need to use reass rule to reassemble packets first.

If I need to use reass, then can i still set net.inet.ip.fw.one_pass=1, or 0 value is mandatory in this case?

Man page say:
# reassemble incoming fragments
ipfw add reass all from any to any in
is all you need at the beginning of your ruleset.

If the packet is the last logical fragment, the
packet is reassembled and, if net.inet.ip.fw.one_pass is set to
0, processing continues with the next rule. Otherwise, the
packet is allowed to pass and the search terminates.

If I set net.inet.ip.fw.one_pass=1, what would would happen to reassembled packet? If search terminates, then it will never reach dealiasing rule.

Thanks in advance.